Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002C_106.exe

Overview

General Information

Sample name:LisectAVT_2403002C_106.exe
Analysis ID:1481552
MD5:e57e7ef9d1a8b3196c522d45710ed22b
SHA1:41e8e57e9381805b9375ca8d0a44cef5c693f566
SHA256:b737d71e4a2974fe20e65bbacbad9bfcb5709d4016a3e4f0f88bd9c8134fcad5
Tags:exe
Infos:

Detection

Darkbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Yara detected Darkbot
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to modify Windows User Account Control (UAC) settings
Creates a thread in another existing process (thread injection)
Creates multiple autostart registry keys
Deletes itself after installation
Drops PE files with benign system names
Extracts suspicious resources from PE file (packer detected)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after checking system information)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Searches for specific processes (likely to inject)
Sigma detected: Files With System Process Name In Unsuspected Locations
Tries to detect the country of the analysis system (by using the IP)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to enumerate network shares
Contains functionality to get notified if a device is plugged in / out
Contains functionality to launch a program with higher privileges
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002C_106.exe (PID: 5344 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe" MD5: E57E7EF9D1A8B3196C522D45710ED22B)
    • LisectAVT_2403002C_106.exe (PID: 1552 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe" MD5: E57E7EF9D1A8B3196C522D45710ED22B)
      • svchost.exe (PID: 1748 cmdline: "C:\Windows\SysWOW64\svchost.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • mspaint.exe (PID: 2060 cmdline: "C:\Windows\SysWOW64\mspaint.exe" MD5: 986A191E95952C9E3FE6BE112FB92026)
      • calc.exe (PID: 1860 cmdline: "C:\Windows\SysWOW64\calc.exe" MD5: 961E093BE1F666FD38602AD90A5F480F)
      • LisectAVT_2403002C_106.exe (PID: 2184 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe" MD5: E57E7EF9D1A8B3196C522D45710ED22B)
        • WmiPrvSE.exe (PID: 4412 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)
        • bWgyuzlQlr.exe (PID: 6720 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6592 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 3840 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 5900 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 972 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 344 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6448 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 4456 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 720 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6708 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 5296 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 1528 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 3172 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6680 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6132 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6368 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 4732 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 6596 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 7052 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bWgyuzlQlr.exe (PID: 4832 cmdline: "C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: LisectAVT_2403002C_106.exe PID: 5344JoeSecurity_DarkbotYara detected DarkbotJoe Security
    Process Memory Space: LisectAVT_2403002C_106.exe PID: 1552JoeSecurity_DarkbotYara detected DarkbotJoe Security
      Process Memory Space: svchost.exe PID: 1748JoeSecurity_DarkbotYara detected DarkbotJoe Security
        Process Memory Space: calc.exe PID: 1860JoeSecurity_DarkbotYara detected DarkbotJoe Security
          Process Memory Space: mspaint.exe PID: 2060JoeSecurity_DarkbotYara detected DarkbotJoe Security
            Click to see the 22 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1748, TargetFilename: C:\Users\user\AppData\Roaming\Update\Explorer.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Update\Explorer.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1748, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Explorer Manager
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe, ParentProcessId: 1552, ParentProcessName: LisectAVT_2403002C_106.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 1748, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Windows\SysWOW64\svchost.exe", CommandLine: "C:\Windows\SysWOW64\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe, ParentProcessId: 1552, ParentProcessName: LisectAVT_2403002C_106.exe, ProcessCommandLine: "C:\Windows\SysWOW64\svchost.exe", ProcessId: 1748, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T10:59:51.834750+0200
            SID:2802897
            Source Port:49707
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T11:00:21.578303+0200
            SID:2802897
            Source Port:49717
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:58.802084+0200
            SID:2018642
            Source Port:53
            Destination Port:57676
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:03.140695+0200
            SID:2802897
            Source Port:49714
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:59.937577+0200
            SID:2802897
            Source Port:49712
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:58:22.973383+0200
            SID:2022930
            Source Port:443
            Destination Port:49700
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:01.156800+0200
            SID:2802897
            Source Port:49713
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T11:00:03.807830+0200
            SID:2018642
            Source Port:53
            Destination Port:51237
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T10:59:03.392608+0200
            SID:2022930
            Source Port:443
            Destination Port:49704
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:06.672127+0200
            SID:2802897
            Source Port:49716
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:30.161697+0200
            SID:2802897
            Source Port:49706
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:54.160371+0200
            SID:2018642
            Source Port:53
            Destination Port:62027
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T10:59:57.609448+0200
            SID:2802897
            Source Port:49711
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:56.328534+0200
            SID:2802897
            Source Port:49710
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T11:00:00.062961+0200
            SID:2018642
            Source Port:53
            Destination Port:57086
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:06.965977+0200
            SID:2018642
            Source Port:53
            Destination Port:61792
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:01.900294+0200
            SID:2018642
            Source Port:53
            Destination Port:55473
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T10:59:55.187570+0200
            SID:2802897
            Source Port:49709
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:56.600156+0200
            SID:2018642
            Source Port:53
            Destination Port:65534
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T10:59:55.318169+0200
            SID:2018642
            Source Port:53
            Destination Port:56256
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:05.598863+0200
            SID:2018642
            Source Port:53
            Destination Port:64875
            Protocol:UDP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T11:00:04.950924+0200
            SID:2802897
            Source Port:49715
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:57:56.374479+0200
            SID:2802950
            Source Port:49714
            Destination Port:3720
            Protocol:TCP
            Classtype:Malware Command and Control Activity Detected
            Timestamp:2024-07-25T10:59:52.409452+0200
            SID:2018642
            Source Port:53
            Destination Port:51472
            Protocol:UDP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002C_106.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://www.google.comURL Reputation: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\c731200Avira: detection malicious, Label: TR/Patched.Ren.Gen
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
            Source: C:\Users\user\AppData\Roaming\Update\Explorer.exeAvira: detection malicious, Label: TR/Patched.Ren.Gen
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\c731200Joe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Update\Explorer.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002C_106.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: api.wipmania.com
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00418C90 memset,WSAGetLastError,DecryptMessage,16_2_00418C90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00411EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,16_2_00411EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00418B30 memset,EncryptMessage,16_2_00418B30
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03098B30 memset,EncryptMessage,17_2_03098B30
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03098C90 memset,WSAGetLastError,DecryptMessage,17_2_03098C90
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03091EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,17_2_03091EA0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB1EA0 wsprintfW,CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,FindCloseChangeNotification,GetLastError,18_2_02AB1EA0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB8C90 memset,WSAGetLastError,DecryptMessage,18_2_02AB8C90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB8B30 lstrcmpA,memset,EncryptMessage,18_2_02AB8B30
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00408C90 memset,WSAGetLastError,DecryptMessage,19_2_00408C90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00401EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,19_2_00401EA0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00408B30 memset,EncryptMessage,19_2_00408B30
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03378B30 memset,EncryptMessage,20_2_03378B30
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03371EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,20_2_03371EA0
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03378C90 memset,#111,DecryptMessage,20_2_03378C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00908C90 memset,WSAGetLastError,DecryptMessage,21_2_00908C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00901EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,21_2_00901EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00908B30 memset,EncryptMessage,21_2_00908B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F01EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,22_2_00F01EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F08C90 memset,WSAGetLastError,DecryptMessage,22_2_00F08C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F08B30 memset,EncryptMessage,22_2_00F08B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B71EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,23_2_00B71EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B78C90 memset,WSAGetLastError,DecryptMessage,23_2_00B78C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B78B30 memset,EncryptMessage,23_2_00B78B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00978C90 memset,WSAGetLastError,DecryptMessage,24_2_00978C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00971EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,24_2_00971EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00978B30 memset,EncryptMessage,24_2_00978B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E8B30 memset,EncryptMessage,25_2_010E8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E8C90 memset,WSAGetLastError,DecryptMessage,25_2_010E8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,25_2_010E1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01688B30 memset,EncryptMessage,26_2_01688B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01681EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,26_2_01681EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01688C90 memset,WSAGetLastError,DecryptMessage,26_2_01688C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E98C90 memset,WSAGetLastError,DecryptMessage,27_2_00E98C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E91EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,27_2_00E91EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E98B30 memset,EncryptMessage,27_2_00E98B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D38C90 memset,WSAGetLastError,DecryptMessage,28_2_00D38C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D31EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,28_2_00D31EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D38B30 memset,EncryptMessage,28_2_00D38B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01418B30 memset,EncryptMessage,29_2_01418B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01418C90 memset,WSAGetLastError,DecryptMessage,29_2_01418C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01411EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,29_2_01411EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F8B30 memset,EncryptMessage,30_2_014F8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F8C90 memset,WSAGetLastError,DecryptMessage,30_2_014F8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,30_2_014F1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00988C90 memset,WSAGetLastError,DecryptMessage,31_2_00988C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00981EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,31_2_00981EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00988B30 memset,EncryptMessage,31_2_00988B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,32_2_00FD1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD8C90 memset,WSAGetLastError,DecryptMessage,32_2_00FD8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD8B30 memset,EncryptMessage,32_2_00FD8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A8B30 memset,EncryptMessage,33_2_015A8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A8C90 memset,WSAGetLastError,DecryptMessage,33_2_015A8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,33_2_015A1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F81EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,34_2_00F81EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F88C90 memset,WSAGetLastError,DecryptMessage,34_2_00F88C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F88B30 memset,EncryptMessage,34_2_00F88B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,35_2_006D1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D8C90 memset,WSAGetLastError,DecryptMessage,35_2_006D8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D8B30 memset,EncryptMessage,35_2_006D8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,36_2_006D1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D8C90 memset,WSAGetLastError,DecryptMessage,36_2_006D8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D8B30 memset,EncryptMessage,36_2_006D8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01148B30 memset,EncryptMessage,37_2_01148B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01148C90 memset,WSAGetLastError,DecryptMessage,37_2_01148C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01141EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,37_2_01141EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F11EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,38_2_00F11EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F18C90 memset,WSAGetLastError,DecryptMessage,38_2_00F18C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F18B30 memset,EncryptMessage,38_2_00F18B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC1EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,39_2_00AC1EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC8C90 memset,WSAGetLastError,DecryptMessage,39_2_00AC8C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC8B30 memset,EncryptMessage,39_2_00AC8B30
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E61EA0 CreateFileW,GetLastError,CryptAcquireContextA,GetLastError,CloseHandle,CryptCreateHash,GetLastError,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,ReadFile,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,GetLastError,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,GetLastError,40_2_00E61EA0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E68C90 memset,WSAGetLastError,DecryptMessage,40_2_00E68C90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E68B30 memset,EncryptMessage,40_2_00E68B30

            Compliance

            barindex
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 0.2.LisectAVT_2403002C_106.exe.470000.1.unpack
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 15.2.LisectAVT_2403002C_106.exe.2640000.1.unpack
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 15.2.LisectAVT_2403002C_106.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 19.2.LisectAVT_2403002C_106.exe.400000.0.unpack
            Source: LisectAVT_2403002C_106.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bWgyuzlQlr.exe, 00000015.00000002.2540363965.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000016.00000000.2028608306.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000017.00000000.2029533824.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000018.00000000.2030382000.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000019.00000002.2540173733.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001A.00000000.2032043976.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001B.00000002.2544092609.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001C.00000002.2532883963.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001D.00000002.2535898042.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001E.00000000.2047039338.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001F.00000000.2048135998.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000020.00000002.2539767260.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000021.00000002.2530475113.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000022.00000002.2540270923.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000023.00000002.2561678708.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000024.00000000.2053747461.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000025.00000002.2533580242.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000026.00000000.2056366315.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000027.00000002.2534453366.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000028.00000002.2530398532.000000000028E000.00000002.00000001.01000000.00000007.sdmp
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: z:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: x:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: v:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: t:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: r:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: p:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: n:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: l:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: j:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: h:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: f:Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeFile opened: d:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: b:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: y:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: w:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: u:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: s:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: q:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: o:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: m:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: k:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: i:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: g:Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeFile opened: e:Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeFile opened: c:Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040B790 NetUserEnum,NetApiBufferFree,15_2_0040B790
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001CB790 NetUserEnum,NetApiBufferFree,16_2_001CB790
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7B790 NetUserEnum,NetApiBufferFree,18_2_02A7B790
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00403F50 CLSIDFromString,RegisterDeviceNotificationA,15_2_00403F50
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040440B lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,15_2_0040440B
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00408020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,wsprintfA,DeleteFileA,FindNextFileA,FindClose,15_2_00408020
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405C20 FindFirstFileA,SetFileAttributesA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,15_2_00405C20
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00403820 lstrcatA,FindFirstFileA,StrRChrA,lstrcpynA,lstrcatA,StrStrIA,lstrcpyA,lstrlenA,FindNextFileA,FindClose,15_2_00403820
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404370 SHGetFolderPathA,wsprintfA,lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlenA,lstrlenA,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,15_2_00404370
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,15_2_00405D10
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_004089D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlenA,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,15_2_004089D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00403980 SHGetFolderPathA,lstrcatA,FindFirstFileA,lstrlenA,StrRChrA,lstrcpynA,lstrcatA,FindNextFileA,FindClose,15_2_00403980
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404D90 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,StrStrA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,15_2_00404D90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,15_2_00405D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C8020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,FindCloseChangeNotification,wsprintfA,DeleteFileA,FindNextFileA,FindClose,16_2_001C8020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5C20 FindFirstFileA,SetFileAttributesA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,16_2_001C5C20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,16_2_001C5D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4370 SHGetFolderPathA,wsprintfA,lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlenA,lstrlenA,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,16_2_001C4370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C89D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlenA,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,16_2_001C89D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C440B lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,16_2_001C440B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C3820 lstrcatA,FindFirstFileA,StrRChrA,lstrcpynA,lstrcatA,StrStrIA,lstrcpyA,lstrlenA,FindNextFileA,FindClose,16_2_001C3820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,16_2_001C5D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4D90 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,StrStrA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,16_2_001C4D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C3980 SHGetFolderPathA,lstrcatA,FindFirstFileA,lstrlenA,StrRChrA,lstrcpynA,lstrcatA,FindNextFileA,FindClose,16_2_001C3980
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,16_2_0041F130
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_0309F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,17_2_0309F130
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A78020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,wsprintfA,DeleteFileA,FindNextFileA,FindClose,18_2_02A78020
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75C20 FindFirstFileA,SetFileAttributesA,lstrcpy,lstrcat,MoveFileExA,FindNextFileA,FindClose,18_2_02A75C20
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A73820 lstrcat,FindFirstFileA,StrRChrA,lstrcpyn,lstrcat,StrStrIA,lstrcpy,lstrlen,FindNextFileA,FindClose,18_2_02A73820
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7440B lstrlen,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcat,wsprintfA,FindFirstFileA,lstrcmp,lstrcpy,lstrlen,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,18_2_02A7440B
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A73980 SHGetFolderPathA,lstrcat,FindFirstFileA,lstrlen,StrRChrA,lstrcpyn,lstrcat,FindNextFileA,FindClose,18_2_02A73980
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74D90 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,FindFirstFileA,lstrcpy,lstrcat,StrStrA,lstrcpy,lstrcat,MoveFileExA,FindNextFileA,FindClose,18_2_02A74D90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,18_2_02A75D90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A789D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlen,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,18_2_02A789D0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,18_2_02A75D10
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74370 SHGetFolderPathA,wsprintfA,lstrlen,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcat,wsprintfA,FindFirstFileA,lstrcmp,lstrcpy,lstrlen,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlen,lstrlen,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,18_2_02A74370
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02ABF130 SetFileAttributesA,memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,18_2_02ABF130
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,19_2_0040F130
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_0337F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,20_2_0337F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_0090F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,21_2_0090F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F0F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,22_2_00F0F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B7F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,23_2_00B7F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_0097F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,24_2_0097F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010EF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,25_2_010EF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_0168F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,26_2_0168F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E9F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,27_2_00E9F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D3F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,28_2_00D3F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_0141F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,29_2_0141F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,30_2_014FF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_0098F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,31_2_0098F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FDF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,32_2_00FDF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015AF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,33_2_015AF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F8F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,34_2_00F8F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,35_2_006DF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,36_2_006DF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_0114F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,37_2_0114F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F1F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,38_2_00F1F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00ACF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,39_2_00ACF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E6F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,40_2_00E6F130
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041F9E0 memset,GetLogicalDriveStringsA,lstrcatA,lstrcatA,16_2_0041F9E0

            Networking

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 3720 -> 49707
            Source: global trafficTCP traffic: 192.168.2.7:49706 -> 194.58.112.165:3720
            Source: global trafficTCP traffic: 192.168.2.7:49707 -> 195.133.45.237:3720
            Source: global trafficTCP traffic: 192.168.2.7:49708 -> 204.95.99.243:3720
            Source: Joe Sandbox ViewIP Address: 194.58.112.165 194.58.112.165
            Source: Joe Sandbox ViewIP Address: 194.58.112.165 194.58.112.165
            Source: unknownDNS query: name: api.wipmania.com
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00418270 GetTickCount,GetTickCount,GetTickCount,select,select,closesocket,select,recv,send,inet_ntoa,htons,send,LocalAlloc,LocalFree,16_2_00418270
            Source: global trafficDNS traffic detected: DNS query: api.wipmania.com
            Source: global trafficDNS traffic detected: DNS query: n.lotys.ru
            Source: global trafficDNS traffic detected: DNS query: n.jntbxduhz.ru
            Source: global trafficDNS traffic detected: DNS query: n.hmiblgoja.ru
            Source: global trafficDNS traffic detected: DNS query: n.ezjhyxxbf.ru
            Source: global trafficDNS traffic detected: DNS query: n.yqqufklho.ru
            Source: global trafficDNS traffic detected: DNS query: n.vbemnggcj.ru
            Source: global trafficDNS traffic detected: DNS query: n.yxntnyrap.ru
            Source: global trafficDNS traffic detected: DNS query: n.oceardpku.ru
            Source: global trafficDNS traffic detected: DNS query: n.zhgcuntif.ru
            Source: global trafficDNS traffic detected: DNS query: n.jupoofsnc.ru
            Source: global trafficDNS traffic detected: DNS query: n.aoyylwyxd.ru
            Source: global trafficDNS traffic detected: DNS query: n.kvupdstwh.ru
            Source: global trafficDNS traffic detected: DNS query: n.spgpemwqk.ru
            Source: global trafficDNS traffic detected: DNS query: n.zhjdwkpaz.ru
            Source: bWgyuzlQlr.exe, 00000028.00000002.2531260969.0000000000E60000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://api.wipmania.com/
            Source: mspaint.exe, 00000012.00000002.2550014931.0000000002BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.wipmania.com/LtU
            Source: mspaint.exe, 00000012.00000002.2550014931.0000000002BF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.wipmania.com/N
            Source: mspaint.exe, 00000012.00000002.2550014931.0000000002C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://api.wipmania.com/l
            Source: LisectAVT_2403002C_106.exe, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000010.00000002.2553969446.0000000004400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, calc.exe, calc.exe, 00000011.00000002.2507923478.0000000003070000.00000040.00000400.00020000.00000000.sdmp, mspaint.exe, mspaint.exe, 00000012.00000002.2507919205.0000000002A70000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
            Source: LisectAVT_2403002C_106.exe, 00000000.00000002.1952052502.0000000000470000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2553969446.0000000004400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, mspaint.exe, 00000012.00000002.2507919205.0000000002A70000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.google.com.exec7312009EEAi
            Source: calc.exe, 00000011.00000002.2507923478.0000000003070000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.google.comc731200U
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040EA90 EndDialog,ScreenToClient,GetWindowRect,EnableMenuItem,GetSystemMenu,SetClassLongA,IsWindowEnabled,SetWindowPos,GetSysColor,GetWindowLongA,SetCursor,LoadCursorA,CheckDlgButton,GetMessagePos,LoadBitmapA,CallWindowProcA,IsWindowVisible,CloseClipboard,SetClipboardData,EmptyClipboard,RegisterClassA,TrackPopupMenu,AppendMenuA,CreatePopupMenu,GetSystemMetrics,SetDlgItemTextA,GetDlgItemTextA,MessageBoxIndirectA,CharPrevA,DispatchMessageA,PeekMessageA,DestroyWindow,CreateDialogParamA,SetTimer,SetWindowTextA,PostQuitMessage,SetForegroundWindow,wsprintfA,SendMessageTimeoutA,FindWindowExA,SystemParametersInfoA,CreateWindowExA,GetClassInfoA,DialogBoxParamA,CharNextA,OpenClipboard,ExitWindowsEx,IsWindow,GetDlgItem,SetWindowLongA,LoadImageA,GetDC,EnableWindow,InvalidateRect,SendMessageA,DefWindowProcA,BeginPaint,GetClientRect,FillRect,DrawTextA,EndPaint,ShowWindow,0_2_0040EA90

            Operating System Destruction

            barindex
            Contains functionality to access PhysicalDrive, possible boot sector overwrite
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00419D90 CreateFileA on filename \\.\PHYSICALDRIVE016_2_00419D90
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03099D90 CreateFileA on filename \\.\PHYSICALDRIVE017_2_03099D90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB9D90 CreateFileA on filename \\.\PHYSICALDRIVE018_2_02AB9D90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00409D90 CreateFileA on filename \\.\PHYSICALDRIVE019_2_00409D90
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03379D90 CreateFileA on filename \\.\PHYSICALDRIVE020_2_03379D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00909D90 CreateFileA on filename \\.\PHYSICALDRIVE021_2_00909D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F09D90 CreateFileA on filename \\.\PHYSICALDRIVE022_2_00F09D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B79D90 CreateFileA on filename \\.\PHYSICALDRIVE023_2_00B79D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00979D90 CreateFileA on filename \\.\PHYSICALDRIVE024_2_00979D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E9D90 CreateFileA on filename \\.\PHYSICALDRIVE025_2_010E9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01689D90 CreateFileA on filename \\.\PHYSICALDRIVE026_2_01689D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E99D90 CreateFileA on filename \\.\PHYSICALDRIVE027_2_00E99D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D39D90 CreateFileA on filename \\.\PHYSICALDRIVE028_2_00D39D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01419D90 CreateFileA on filename \\.\PHYSICALDRIVE029_2_01419D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F9D90 CreateFileA on filename \\.\PHYSICALDRIVE030_2_014F9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00989D90 CreateFileA on filename \\.\PHYSICALDRIVE031_2_00989D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD9D90 CreateFileA on filename \\.\PHYSICALDRIVE032_2_00FD9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A9D90 CreateFileA on filename \\.\PHYSICALDRIVE033_2_015A9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F89D90 CreateFileA on filename \\.\PHYSICALDRIVE034_2_00F89D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D9D90 CreateFileA on filename \\.\PHYSICALDRIVE035_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D9D90 CreateFileA on filename \\.\PHYSICALDRIVE036_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01149D90 CreateFileA on filename \\.\PHYSICALDRIVE037_2_01149D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F19D90 CreateFileA on filename \\.\PHYSICALDRIVE038_2_00F19D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC9D90 CreateFileA on filename \\.\PHYSICALDRIVE039_2_00AC9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E69D90 CreateFileA on filename \\.\PHYSICALDRIVE040_2_00E69D90

            System Summary

            barindex
            Yara detected Darkbot
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002C_106.exe PID: 5344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002C_106.exe PID: 1552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1748, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: calc.exe PID: 1860, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: mspaint.exe PID: 2060, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002C_106.exe PID: 2184, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: WmiPrvSE.exe PID: 4412, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6720, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6592, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 3840, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 5900, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 972, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 344, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6448, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 4456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 720, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6708, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 5296, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 1528, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 3172, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6680, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6132, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6368, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 4732, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 6596, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 7052, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: bWgyuzlQlr.exe PID: 4832, type: MEMORYSTR
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00450E99 VirtualAlloc,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00450E99
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_004053A0 GetCommandLineW,CreateProcessW,GetModuleHandleA,GetProcAddress,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,15_2_004053A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00415C50 NtQueryInformationProcess,16_2_00415C50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00414D00 GetVersionExA,strncpy,NtQueryInformationProcess,16_2_00414D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00413440 printf,printf,printf,NtAllocateVirtualMemory,16_2_00413440
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00415820 memset,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,16_2_00415820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004156E0 NtQuerySystemInformation,NtQuerySystemInformation,16_2_004156E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004153D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,16_2_004153D0
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03094D00 GetVersionExA,strncpy,NtQueryInformationProcess,17_2_03094D00
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03095C50 NtQueryInformationProcess,17_2_03095C50
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_030953D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,17_2_030953D0
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03095820 memset,NtGetNextProcess,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,17_2_03095820
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03093440 printf,printf,printf,NtAllocateVirtualMemory,17_2_03093440
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_030956E0 NtQuerySystemInformation,NtQuerySystemInformation,17_2_030956E0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB5C50 NtQueryInformationProcess,18_2_02AB5C50
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB6390 NtEnumerateValueKey,wcsstr,wcsstr,NtEnumerateValueKey,18_2_02AB6390
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB4D00 GetVersionExA,strncpy,NtQueryInformationProcess,18_2_02AB4D00
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB56E0 NtQuerySystemInformation,NtQuerySystemInformation,18_2_02AB56E0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB5820 memset,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,18_2_02AB5820
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB3440 printf,printf,printf,NtAllocateVirtualMemory,18_2_02AB3440
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB53D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,18_2_02AB53D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_004056E0 NtQuerySystemInformation,NtQuerySystemInformation,19_2_004056E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00404D00 GetVersionExA,strncpy,NtQueryInformationProcess,19_2_00404D00
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00403440 printf,printf,printf,NtAllocateVirtualMemory,19_2_00403440
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00405C50 NtQueryInformationProcess,19_2_00405C50
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00405820 memset,CloseHandle,NtQueryInformationProcess,NtQueryInformationProcess,InterlockedCompareExchange,WideCharToMultiByte,Sleep,CloseHandle,19_2_00405820
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_004053D0 NtQueryInformationThread,OpenProcess,NtQueryInformationProcess,InterlockedCompareExchange,VirtualAllocEx,WriteProcessMemory,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,CloseHandle,19_2_004053D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00419E7B: WriteFile,DeviceIoControl,16_2_00419E7B
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040EA90 EndDialog,ScreenToClient,GetWindowRect,EnableMenuItem,GetSystemMenu,SetClassLongA,IsWindowEnabled,SetWindowPos,GetSysColor,GetWindowLongA,SetCursor,LoadCursorA,CheckDlgButton,GetMessagePos,LoadBitmapA,CallWindowProcA,IsWindowVisible,CloseClipboard,SetClipboardData,EmptyClipboard,RegisterClassA,TrackPopupMenu,AppendMenuA,CreatePopupMenu,GetSystemMetrics,SetDlgItemTextA,GetDlgItemTextA,MessageBoxIndirectA,CharPrevA,DispatchMessageA,PeekMessageA,DestroyWindow,CreateDialogParamA,SetTimer,SetWindowTextA,PostQuitMessage,SetForegroundWindow,wsprintfA,SendMessageTimeoutA,FindWindowExA,SystemParametersInfoA,CreateWindowExA,GetClassInfoA,DialogBoxParamA,CharNextA,OpenClipboard,ExitWindowsEx,IsWindow,GetDlgItem,SetWindowLongA,LoadImageA,GetDC,EnableWindow,InvalidateRect,SendMessageA,DefWindowProcA,BeginPaint,GetClientRect,FillRect,DrawTextA,EndPaint,ShowWindow,0_2_0040EA90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_004060760_2_00406076
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00401C000_2_00401C00
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_004051120_2_00405112
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00412D6016_2_00412D60
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03092D6017_2_03092D60
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB2D6018_2_02AB2D60
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00402D6019_2_00402D60
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03372D6020_2_03372D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00902D6021_2_00902D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F02D6022_2_00F02D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B72D6023_2_00B72D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00972D6024_2_00972D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E2D6025_2_010E2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01682D6026_2_01682D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E92D6027_2_00E92D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D32D6028_2_00D32D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01412D6029_2_01412D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F2D6030_2_014F2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00982D6031_2_00982D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD2D6032_2_00FD2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A2D6033_2_015A2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F82D6034_2_00F82D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D2D6035_2_006D2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D2D6036_2_006D2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01142D6037_2_01142D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F12D6038_2_00F12D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC2D6039_2_00AC2D60
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E759B840_2_00E759B8
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E62D6040_2_00E62D60
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: String function: 0337BA00 appears 37 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0041BA00 appears 37 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: String function: 0040BA00 appears 37 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: String function: 004056D8 appears 34 times
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: String function: 02ABBA00 appears 37 times
            Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 0309BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0168BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00F8BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0114BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0097BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00E9BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0098BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 006DA310 appears 46 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00FDBA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00F0BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 015ABA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00F1BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 006DBA00 appears 74 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00D3BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0090BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 006DB990 appears 48 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 0141BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00E6BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00B7BA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 010EBA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 014FBA00 appears 37 times
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: String function: 00ACBA00 appears 37 times
            Source: LisectAVT_2403002C_106.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/7@15/4
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040A980 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,15_2_0040A980
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001CA980 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,16_2_001CA980
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00414C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,16_2_00414C20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,16_2_0041A550
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_03094C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,17_2_03094C20
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_0309A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,17_2_0309A550
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7A980 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,18_2_02A7A980
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,18_2_02AB4C20
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02ABA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,18_2_02ABA550
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00404C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,19_2_00404C20
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_0040A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,19_2_0040A550
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03374C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,20_2_03374C20
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_0337A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,20_2_0337A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00904C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,21_2_00904C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_0090A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,21_2_0090A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F04C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,22_2_00F04C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F0A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,22_2_00F0A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B74C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,23_2_00B74C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B7A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,23_2_00B7A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00974C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,24_2_00974C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_0097A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,24_2_0097A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,25_2_010E4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010EA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,25_2_010EA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01684C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,26_2_01684C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_0168A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,26_2_0168A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E94C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,27_2_00E94C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E9A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,27_2_00E9A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D34C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,28_2_00D34C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D3A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,28_2_00D3A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01414C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,29_2_01414C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_0141A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,29_2_0141A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,30_2_014F4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014FA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,30_2_014FA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00984C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,31_2_00984C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_0098A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,31_2_0098A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,32_2_00FD4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FDA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,32_2_00FDA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,33_2_015A4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015AA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,33_2_015AA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F84C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,34_2_00F84C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F8A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,34_2_00F8A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,35_2_006D4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006DA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,35_2_006DA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,36_2_006D4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006DA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,36_2_006DA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01144C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,37_2_01144C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_0114A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,37_2_0114A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F14C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,38_2_00F14C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F1A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,38_2_00F1A550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC4C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,39_2_00AC4C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00ACA550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,39_2_00ACA550
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E64C20 OpenProcessToken,GetLastError,LookupPrivilegeValueA,GetLastError,CloseHandle,AdjustTokenPrivileges,GetLastError,CloseHandle,40_2_00E64C20
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E6A550 OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,40_2_00E6A550
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00450000 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,0_2_00450000
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040EDE0 CoTaskMemFree,OleInitialize,OleUninitialize,CoCreateInstance,0_2_0040EDE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404FB0 EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess,15_2_00404FB0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeFile created: C:\Users\user\AppData\Roaming\c731200Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMutant created: \Sessions\1\BaseNamedObjects\c731200
            Source: C:\Windows\SysWOW64\mspaint.exeMutant created: \Sessions\1\BaseNamedObjects\FvLQ49I zLjj6m
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMutant created: \Sessions\1\BaseNamedObjects\-65b46629Mutex
            Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\SVCHOST_MUTEX_OBJECT_RELEASED_c000900
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMutant created: \Sessions\1\BaseNamedObjects\SSLOADasdasc000900
            Source: C:\Windows\SysWOW64\calc.exeFile created: C:\Users\user~1\AppData\Local\Temp\c731200Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCommand line argument: toupper=%#04x0_2_00401000
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCommand line argument: tolower=%#04x0_2_00401000
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCommand line argument: (>A0_2_00401000
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_15-2930
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\mspaint.exe "C:\Windows\SysWOW64\mspaint.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\mspaint.exe "C:\Windows\SysWOW64\mspaint.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: opengl32.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: dbghelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: glu32.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: samcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mfc42u.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: bWgyuzlQlr.exe, 00000015.00000002.2540363965.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000016.00000000.2028608306.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000017.00000000.2029533824.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000018.00000000.2030382000.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000019.00000002.2540173733.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001A.00000000.2032043976.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001B.00000002.2544092609.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001C.00000002.2532883963.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001D.00000002.2535898042.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001E.00000000.2047039338.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 0000001F.00000000.2048135998.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000020.00000002.2539767260.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000021.00000002.2530475113.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000022.00000002.2540270923.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000023.00000002.2561678708.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000024.00000000.2053747461.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000025.00000002.2533580242.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000026.00000000.2056366315.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000027.00000002.2534453366.000000000028E000.00000002.00000001.01000000.00000007.sdmp, bWgyuzlQlr.exe, 00000028.00000002.2530398532.000000000028E000.00000002.00000001.01000000.00000007.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 15.2.LisectAVT_2403002C_106.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:EW; vs .text:EW;code:ER;.data:W;.rsrc:R;.reloc:R;
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 19.2.LisectAVT_2403002C_106.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;
            Detected unpacking (creates a PE file in dynamic memory)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 0.2.LisectAVT_2403002C_106.exe.470000.1.unpack
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 15.2.LisectAVT_2403002C_106.exe.2640000.1.unpack
            Detected unpacking (overwrites its own PE header)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 15.2.LisectAVT_2403002C_106.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeUnpacked PE file: 19.2.LisectAVT_2403002C_106.exe.400000.0.unpack
            Extracts suspicious resources from PE file (packer detected)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404FB0 EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess, \svchost.exe15_2_00404FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4FB0 EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess, \svchost.exe16_2_001C4FB0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74FB0 EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpy,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess, \svchost.exe18_2_02A74FB0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040B186 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0040B186
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040571D push ecx; ret 0_2_00405730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00420F10 push eax; ret 16_2_00420F3E
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_030A0F10 push eax; ret 17_2_030A0F3E
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7C05D push cs; ret 18_2_02A7C0DD
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7BFE4 push 760000C3h; ret 18_2_02A7BFE9
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AC0F10 push eax; ret 18_2_02AC0F3E
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_00410F10 push eax; ret 19_2_00410F3E
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_03380F10 push eax; ret 20_2_03380F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_00910F10 push eax; ret 21_2_00910F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F10F10 push eax; ret 22_2_00F10F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B80F10 push eax; ret 23_2_00B80F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_00980F10 push eax; ret 24_2_00980F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010F0F10 push eax; ret 25_2_010F0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_01690F10 push eax; ret 26_2_01690F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00EA0F10 push eax; ret 27_2_00EA0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D40F10 push eax; ret 28_2_00D40F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_01420F10 push eax; ret 29_2_01420F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_01500F10 push eax; ret 30_2_01500F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_00990F10 push eax; ret 31_2_00990F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FE0F10 push eax; ret 32_2_00FE0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015B0F10 push eax; ret 33_2_015B0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F90F10 push eax; ret 34_2_00F90F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006E0F10 push eax; ret 35_2_006E0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006E0F10 push eax; ret 36_2_006E0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_01150F10 push eax; ret 37_2_01150F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F20F10 push eax; ret 38_2_00F20F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AD0F10 push eax; ret 39_2_00AD0F3E
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E70F10 push eax; ret 40_2_00E70F3E
            Source: LisectAVT_2403002C_106.exeStatic PE information: section name: .rsrc entropy: 7.977818984184578
            Source: c731200.15.drStatic PE information: section name: .rsrc entropy: 7.977818984184578
            Source: Explorer.exe.16.drStatic PE information: section name: .rsrc entropy: 7.977818984184578
            Source: Hsnpnw.exe.18.drStatic PE information: section name: .rsrc entropy: 7.977818984184578

            Persistence and Installation Behavior

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Windows\SysWOW64\svchost.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE016_2_00419EC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00419D90
            Source: C:\Windows\SysWOW64\calc.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE017_2_03099D90
            Source: C:\Windows\SysWOW64\calc.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE017_2_03099EC0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE018_2_02AB9EC0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE018_2_02AB9D90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE019_2_00409EC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE019_2_00409D90
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE020_2_03379D90
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE020_2_03379EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE021_2_00909EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE021_2_00909D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE022_2_00F09EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE022_2_00F09D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE023_2_00B79EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE023_2_00B79D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE024_2_00979EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE024_2_00979D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE025_2_010E9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE025_2_010E9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE026_2_01689D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE026_2_01689EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE027_2_00E99D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE027_2_00E99EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE028_2_00D39EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE028_2_00D39D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE029_2_01419D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE029_2_01419EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE030_2_014F9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE030_2_014F9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE031_2_00989EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE031_2_00989D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE032_2_00FD9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE032_2_00FD9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE033_2_015A9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE033_2_015A9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE034_2_00F89EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE034_2_00F89D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE035_2_006D9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE035_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE036_2_006D9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE036_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE037_2_01149D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE037_2_01149EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE038_2_00F19EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE038_2_00F19D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE039_2_00AC9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE039_2_00AC9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE040_2_00E69EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE040_2_00E69D90
            Drops PE files with benign system names
            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\Update\Explorer.exeJump to dropped file
            Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\AppData\Roaming\Update\Explorer.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeFile created: C:\Users\user\AppData\Roaming\c731200Jump to dropped file
            Source: C:\Windows\SysWOW64\mspaint.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeFile created: C:\Users\user\AppData\Roaming\c731200Jump to dropped file

            Boot Survival

            barindex
            Contains functionality to infect the boot sector
            Source: C:\Windows\SysWOW64\svchost.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE016_2_00419EC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE016_2_00419D90
            Source: C:\Windows\SysWOW64\calc.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE017_2_03099D90
            Source: C:\Windows\SysWOW64\calc.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE017_2_03099EC0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE018_2_02AB9EC0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE018_2_02AB9D90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE019_2_00409EC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE019_2_00409D90
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE020_2_03379D90
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE020_2_03379EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE021_2_00909EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE021_2_00909D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE022_2_00F09EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE022_2_00F09D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE023_2_00B79EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE023_2_00B79D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE024_2_00979EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE024_2_00979D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE025_2_010E9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE025_2_010E9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE026_2_01689D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE026_2_01689EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE027_2_00E99D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE027_2_00E99EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE028_2_00D39EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE028_2_00D39D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE029_2_01419D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE029_2_01419EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE030_2_014F9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE030_2_014F9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE031_2_00989EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE031_2_00989D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE032_2_00FD9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE032_2_00FD9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE033_2_015A9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE033_2_015A9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE034_2_00F89EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE034_2_00F89D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE035_2_006D9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE035_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE036_2_006D9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE036_2_006D9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE037_2_01149D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE037_2_01149EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE038_2_00F19EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE038_2_00F19D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE039_2_00AC9EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE039_2_00AC9D90
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle, \\.\PHYSICALDRIVE040_2_00E69EC0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: VirtualAlloc,CreateFileA,DeviceIoControl,SetFilePointer,WriteFile,WriteFile,SetFilePointer,WriteFile,WriteFile,DeviceIoControl, \\.\PHYSICALDRIVE040_2_00E69D90
            Creates multiple autostart registry keys
            Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Explorer ManagerJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HsnpnwJump to behavior
            Monitors registry run keys for changes
            Source: C:\Windows\SysWOW64\mspaint.exeRegistry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Explorer ManagerJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Explorer ManagerJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Explorer ManagerJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Explorer ManagerJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HsnpnwJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HsnpnwJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Deletes itself after installation
            Source: C:\Windows\SysWOW64\mspaint.exeFile deleted: c:\users\user\desktop\lisectavt_2403002c_106.exeJump to behavior
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Windows\SysWOW64\mspaint.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe:Zone.Identifier read attributes | deleteJump to behavior
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 77762BA0 value: E9 EB 37 CB 88 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 77762DE0 value: E9 5B 38 CB 88 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771A8B60 value: E9 9B 84 26 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771B37E0 value: E9 BB D8 25 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771AF3E0 value: E9 2B 31 26 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771B20B0 value: E9 BB 04 26 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771B3130 value: E9 8B E0 25 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 771B3140 value: E9 4B E1 25 89 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 6FC03FF0 value: E9 AB E0 80 90 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 6FBB5720 value: E9 3B CA 85 90 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 6FB82B30 value: E9 6B F8 88 90 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 752022F0 value: E9 8B 6D 21 8B Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 751604F0 value: E9 FB 8C 2B 8B Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 6F785340 value: E9 AB C3 C8 90 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 6F743520 value: E9 BB E2 CC 90 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 75CA58A0 value: E9 AB 19 77 8A Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 75CA26B0 value: E9 5B F6 76 8A Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 77762FB0 value: E9 1B 24 CB 88 Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: PID: 1748 base: 7773DE80 value: E9 7B 74 CD 88 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 77762BA0 value: E9 EB 37 93 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 77762DE0 value: E9 5B 38 93 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771A8B60 value: E9 9B 84 EE 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771B37E0 value: E9 BB D8 ED 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771AF3E0 value: E9 2B 31 EE 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771B20B0 value: E9 BB 04 EE 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771B3130 value: E9 8B E0 ED 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 771B3140 value: E9 4B E1 ED 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 752022F0 value: E9 8B 6D E9 8D Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 751604F0 value: E9 FB 8C F3 8D Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 6FC03FF0 value: E9 AB E0 48 93 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 6FBB5720 value: E9 3B CA 4D 93 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 6FB82B30 value: E9 6B F8 50 93 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 6F785340 value: E9 AB C3 90 93 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 6F743520 value: E9 BB E2 94 93 Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 75CA58A0 value: E9 AB 19 3F 8D Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 75CA26B0 value: E9 5B F6 3E 8D Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 77762FB0 value: E9 1B 24 93 8B Jump to behavior
            Source: C:\Windows\SysWOW64\calc.exeMemory written: PID: 1860 base: 7773DE80 value: E9 7B 74 95 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 77762BA0 value: E9 EB 37 35 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 77762DE0 value: E9 5B 38 35 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771A8B60 value: E9 9B 84 90 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771B37E0 value: E9 BB D8 8F 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771AF3E0 value: E9 2B 31 90 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771B20B0 value: E9 BB 04 90 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771B3130 value: E9 8B E0 8F 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 771B3140 value: E9 4B E1 8F 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 6F785340 value: E9 AB C3 32 93 Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 6F743520 value: E9 BB E2 36 93 Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 6FC03FF0 value: E9 AB E0 EA 92 Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 6FBB5720 value: E9 3B CA EF 92 Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 6FB82B30 value: E9 6B F8 F2 92 Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 75CA58A0 value: E9 AB 19 E1 8C Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 75CA26B0 value: E9 5B F6 E0 8C Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 77762FB0 value: E9 1B 24 35 8B Jump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeMemory written: PID: 2060 base: 7773DE80 value: E9 7B 74 37 8B Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 77762BA0 value: E9 EB 37 C1 8B Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 77762DE0 value: E9 5B 38 C1 8B Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771A8B60 value: E9 9B 84 1C 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771B37E0 value: E9 BB D8 1B 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771AF3E0 value: E9 2B 31 1C 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771B20B0 value: E9 BB 04 1C 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771B3130 value: E9 8B E0 1B 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 771B3140 value: E9 4B E1 1B 8C Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 75CA58A0 value: E9 AB 19 6D 8D Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 75CA26B0 value: E9 5B F6 6C 8D Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 6F785340 value: E9 AB C3 BE 93 Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 6F743520 value: E9 BB E2 C2 93 Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 6FC03FF0 value: E9 AB E0 76 93 Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 6FBB5720 value: E9 3B CA 7B 93 Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 6FB82B30 value: E9 6B F8 7E 93 Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 77762FB0 value: E9 1B 24 C1 8B Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeMemory written: PID: 4412 base: 7773DE80 value: E9 7B 74 C3 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 77762BA0 value: E9 EB 37 1A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 77762DE0 value: E9 5B 38 1A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771A8B60 value: E9 9B 84 75 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771B37E0 value: E9 BB D8 74 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771AF3E0 value: E9 2B 31 75 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771B20B0 value: E9 BB 04 75 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771B3130 value: E9 8B E0 74 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 771B3140 value: E9 4B E1 74 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 6F785340 value: E9 AB C3 17 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 6F743520 value: E9 BB E2 1B 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 6FC03FF0 value: E9 AB E0 CF 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 6FBB5720 value: E9 3B CA D4 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 6FB82B30 value: E9 6B F8 D7 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 75CA58A0 value: E9 AB 19 C6 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 75CA26B0 value: E9 5B F6 C5 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 77762FB0 value: E9 1B 24 1A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6720 base: 7773DE80 value: E9 7B 74 1C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 77762BA0 value: E9 EB 37 7A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 77762DE0 value: E9 5B 38 7A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771A8B60 value: E9 9B 84 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771B37E0 value: E9 BB D8 D4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771AF3E0 value: E9 2B 31 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771B20B0 value: E9 BB 04 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771B3130 value: E9 8B E0 D4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 771B3140 value: E9 4B E1 D4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 6F785340 value: E9 AB C3 77 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 6F743520 value: E9 BB E2 7B 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 6FC03FF0 value: E9 AB E0 2F 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 6FBB5720 value: E9 3B CA 34 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 6FB82B30 value: E9 6B F8 37 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 75CA58A0 value: E9 AB 19 26 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 75CA26B0 value: E9 5B F6 25 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 77762FB0 value: E9 1B 24 7A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6592 base: 7773DE80 value: E9 7B 74 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 77762BA0 value: E9 EB 37 41 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 77762DE0 value: E9 5B 38 41 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771A8B60 value: E9 9B 84 9C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771B37E0 value: E9 BB D8 9B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771AF3E0 value: E9 2B 31 9C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771B20B0 value: E9 BB 04 9C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771B3130 value: E9 8B E0 9B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 771B3140 value: E9 4B E1 9B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 6F785340 value: E9 AB C3 3E 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 6F743520 value: E9 BB E2 42 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 6FC03FF0 value: E9 AB E0 F6 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 6FBB5720 value: E9 3B CA FB 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 6FB82B30 value: E9 6B F8 FE 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 75CA58A0 value: E9 AB 19 ED 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 75CA26B0 value: E9 5B F6 EC 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 77762FB0 value: E9 1B 24 41 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3840 base: 7773DE80 value: E9 7B 74 43 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 77762BA0 value: E9 EB 37 21 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 77762DE0 value: E9 5B 38 21 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771A8B60 value: E9 9B 84 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771B37E0 value: E9 BB D8 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771AF3E0 value: E9 2B 31 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771B20B0 value: E9 BB 04 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771B3130 value: E9 8B E0 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 771B3140 value: E9 4B E1 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 6F785340 value: E9 AB C3 1E 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 6F743520 value: E9 BB E2 22 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 6FC03FF0 value: E9 AB E0 D6 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 6FBB5720 value: E9 3B CA DB 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 6FB82B30 value: E9 6B F8 DE 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 75CA58A0 value: E9 AB 19 CD 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 75CA26B0 value: E9 5B F6 CC 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 77762FB0 value: E9 1B 24 21 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5900 base: 7773DE80 value: E9 7B 74 23 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 77762BA0 value: E9 EB 37 98 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 77762DE0 value: E9 5B 38 98 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771A8B60 value: E9 9B 84 F3 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771B37E0 value: E9 BB D8 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771AF3E0 value: E9 2B 31 F3 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771B20B0 value: E9 BB 04 F3 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771B3130 value: E9 8B E0 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 771B3140 value: E9 4B E1 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 6F785340 value: E9 AB C3 95 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 6F743520 value: E9 BB E2 99 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 6FC03FF0 value: E9 AB E0 4D 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 6FBB5720 value: E9 3B CA 52 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 6FB82B30 value: E9 6B F8 55 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 75CA58A0 value: E9 AB 19 44 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 75CA26B0 value: E9 5B F6 43 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 77762FB0 value: E9 1B 24 98 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 972 base: 7773DE80 value: E9 7B 74 9A 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 77762BA0 value: E9 EB 37 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 77762DE0 value: E9 5B 38 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771A8B60 value: E9 9B 84 4D 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771B37E0 value: E9 BB D8 4C 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771AF3E0 value: E9 2B 31 4D 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771B20B0 value: E9 BB 04 4D 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771B3130 value: E9 8B E0 4C 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 771B3140 value: E9 4B E1 4C 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 6F785340 value: E9 AB C3 EF 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 6F743520 value: E9 BB E2 F3 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 6FC03FF0 value: E9 AB E0 A7 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 6FBB5720 value: E9 3B CA AC 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 6FB82B30 value: E9 6B F8 AF 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 75CA58A0 value: E9 AB 19 9E 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 75CA26B0 value: E9 5B F6 9D 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 77762FB0 value: E9 1B 24 F2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 344 base: 7773DE80 value: E9 7B 74 F4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 77762BA0 value: E9 EB 37 73 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 77762DE0 value: E9 5B 38 73 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771A8B60 value: E9 9B 84 CE 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771B37E0 value: E9 BB D8 CD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771AF3E0 value: E9 2B 31 CE 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771B20B0 value: E9 BB 04 CE 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771B3130 value: E9 8B E0 CD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 771B3140 value: E9 4B E1 CD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 6F785340 value: E9 AB C3 70 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 6F743520 value: E9 BB E2 74 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 6FC03FF0 value: E9 AB E0 28 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 6FBB5720 value: E9 3B CA 2D 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 6FB82B30 value: E9 6B F8 30 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 75CA58A0 value: E9 AB 19 1F 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 75CA26B0 value: E9 5B F6 1E 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 77762FB0 value: E9 1B 24 73 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6448 base: 7773DE80 value: E9 7B 74 75 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 77762BA0 value: E9 EB 37 5D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 77762DE0 value: E9 5B 38 5D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771A8B60 value: E9 9B 84 B8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771B37E0 value: E9 BB D8 B7 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771AF3E0 value: E9 2B 31 B8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771B20B0 value: E9 BB 04 B8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771B3130 value: E9 8B E0 B7 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 771B3140 value: E9 4B E1 B7 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 6F785340 value: E9 AB C3 5A 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 6F743520 value: E9 BB E2 5E 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 6FC03FF0 value: E9 AB E0 12 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 6FBB5720 value: E9 3B CA 17 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 6FB82B30 value: E9 6B F8 1A 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 75CA58A0 value: E9 AB 19 09 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 75CA26B0 value: E9 5B F6 08 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 77762FB0 value: E9 1B 24 5D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4456 base: 7773DE80 value: E9 7B 74 5F 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 77762BA0 value: E9 EB 37 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 77762DE0 value: E9 5B 38 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771A8B60 value: E9 9B 84 26 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771B37E0 value: E9 BB D8 25 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771AF3E0 value: E9 2B 31 26 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771B20B0 value: E9 BB 04 26 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771B3130 value: E9 8B E0 25 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 771B3140 value: E9 4B E1 25 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 6F785340 value: E9 AB C3 C8 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 6F743520 value: E9 BB E2 CC 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 6FC03FF0 value: E9 AB E0 80 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 6FBB5720 value: E9 3B CA 85 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 6FB82B30 value: E9 6B F8 88 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 75CA58A0 value: E9 AB 19 77 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 75CA26B0 value: E9 5B F6 76 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 77762FB0 value: E9 1B 24 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 720 base: 7773DE80 value: E9 7B 74 CD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 77762BA0 value: E9 EB 37 D9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 77762DE0 value: E9 5B 38 D9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771A8B60 value: E9 9B 84 34 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771B37E0 value: E9 BB D8 33 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771AF3E0 value: E9 2B 31 34 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771B20B0 value: E9 BB 04 34 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771B3130 value: E9 8B E0 33 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 771B3140 value: E9 4B E1 33 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 6F785340 value: E9 AB C3 D6 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 6F743520 value: E9 BB E2 DA 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 6FC03FF0 value: E9 AB E0 8E 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 6FBB5720 value: E9 3B CA 93 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 6FB82B30 value: E9 6B F8 96 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 75CA58A0 value: E9 AB 19 85 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 75CA26B0 value: E9 5B F6 84 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 77762FB0 value: E9 1B 24 D9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6708 base: 7773DE80 value: E9 7B 74 DB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 77762BA0 value: E9 EB 37 22 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 77762DE0 value: E9 5B 38 22 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771A8B60 value: E9 9B 84 7D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771B37E0 value: E9 BB D8 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771AF3E0 value: E9 2B 31 7D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771B20B0 value: E9 BB 04 7D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771B3130 value: E9 8B E0 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 771B3140 value: E9 4B E1 7C 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 6F785340 value: E9 AB C3 1F 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 6F743520 value: E9 BB E2 23 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 6FC03FF0 value: E9 AB E0 D7 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 6FBB5720 value: E9 3B CA DC 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 6FB82B30 value: E9 6B F8 DF 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 75CA58A0 value: E9 AB 19 CE 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 75CA26B0 value: E9 5B F6 CD 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 77762FB0 value: E9 1B 24 22 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 5296 base: 7773DE80 value: E9 7B 74 24 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 77762BA0 value: E9 EB 37 87 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 77762DE0 value: E9 5B 38 87 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771A8B60 value: E9 9B 84 E2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771B37E0 value: E9 BB D8 E1 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771AF3E0 value: E9 2B 31 E2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771B20B0 value: E9 BB 04 E2 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771B3130 value: E9 8B E0 E1 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 771B3140 value: E9 4B E1 E1 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 6F785340 value: E9 AB C3 84 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 6F743520 value: E9 BB E2 88 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 6FC03FF0 value: E9 AB E0 3C 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 6FBB5720 value: E9 3B CA 41 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 6FB82B30 value: E9 6B F8 44 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 75CA58A0 value: E9 AB 19 33 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 75CA26B0 value: E9 5B F6 32 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 77762FB0 value: E9 1B 24 87 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 1528 base: 7773DE80 value: E9 7B 74 89 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 77762BA0 value: E9 EB 37 E4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 77762DE0 value: E9 5B 38 E4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771A8B60 value: E9 9B 84 3F 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771B37E0 value: E9 BB D8 3E 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771AF3E0 value: E9 2B 31 3F 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771B20B0 value: E9 BB 04 3F 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771B3130 value: E9 8B E0 3E 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 771B3140 value: E9 4B E1 3E 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 6F785340 value: E9 AB C3 E1 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 6F743520 value: E9 BB E2 E5 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 6FC03FF0 value: E9 AB E0 99 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 6FBB5720 value: E9 3B CA 9E 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 6FB82B30 value: E9 6B F8 A1 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 75CA58A0 value: E9 AB 19 90 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 75CA26B0 value: E9 5B F6 8F 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 77762FB0 value: E9 1B 24 E4 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 3172 base: 7773DE80 value: E9 7B 74 E6 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 77762BA0 value: E9 EB 37 82 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 77762DE0 value: E9 5B 38 82 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771A8B60 value: E9 9B 84 DD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771B37E0 value: E9 BB D8 DC 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771AF3E0 value: E9 2B 31 DD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771B20B0 value: E9 BB 04 DD 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771B3130 value: E9 8B E0 DC 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 771B3140 value: E9 4B E1 DC 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 6F785340 value: E9 AB C3 7F 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 6F743520 value: E9 BB E2 83 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 6FC03FF0 value: E9 AB E0 37 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 6FBB5720 value: E9 3B CA 3C 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 6FB82B30 value: E9 6B F8 3F 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 75CA58A0 value: E9 AB 19 2E 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 75CA26B0 value: E9 5B F6 2D 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 77762FB0 value: E9 1B 24 82 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6680 base: 7773DE80 value: E9 7B 74 84 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 77762BA0 value: E9 EB 37 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 77762DE0 value: E9 5B 38 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771A8B60 value: E9 9B 84 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771B37E0 value: E9 BB D8 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771AF3E0 value: E9 2B 31 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771B20B0 value: E9 BB 04 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771B3130 value: E9 8B E0 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 771B3140 value: E9 4B E1 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 6F785340 value: E9 AB C3 F4 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 6F743520 value: E9 BB E2 F8 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 6FC03FF0 value: E9 AB E0 AC 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 6FBB5720 value: E9 3B CA B1 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 6FB82B30 value: E9 6B F8 B4 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 75CA58A0 value: E9 AB 19 A3 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 75CA26B0 value: E9 5B F6 A2 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 77762FB0 value: E9 1B 24 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6132 base: 7773DE80 value: E9 7B 74 F9 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 77762BA0 value: E9 EB 37 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 77762DE0 value: E9 5B 38 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771A8B60 value: E9 9B 84 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771B37E0 value: E9 BB D8 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771AF3E0 value: E9 2B 31 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771B20B0 value: E9 BB 04 52 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771B3130 value: E9 8B E0 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 771B3140 value: E9 4B E1 51 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 6F785340 value: E9 AB C3 F4 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 6F743520 value: E9 BB E2 F8 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 6FC03FF0 value: E9 AB E0 AC 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 6FBB5720 value: E9 3B CA B1 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 6FB82B30 value: E9 6B F8 B4 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 75CA58A0 value: E9 AB 19 A3 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 75CA26B0 value: E9 5B F6 A2 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 77762FB0 value: E9 1B 24 F7 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6368 base: 7773DE80 value: E9 7B 74 F9 88 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 77762BA0 value: E9 EB 37 9E 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 77762DE0 value: E9 5B 38 9E 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771A8B60 value: E9 9B 84 F9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771B37E0 value: E9 BB D8 F8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771AF3E0 value: E9 2B 31 F9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771B20B0 value: E9 BB 04 F9 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771B3130 value: E9 8B E0 F8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 771B3140 value: E9 4B E1 F8 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 6F785340 value: E9 AB C3 9B 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 6F743520 value: E9 BB E2 9F 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 6FC03FF0 value: E9 AB E0 53 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 6FBB5720 value: E9 3B CA 58 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 6FB82B30 value: E9 6B F8 5B 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 75CA58A0 value: E9 AB 19 4A 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 75CA26B0 value: E9 5B F6 49 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 77762FB0 value: E9 1B 24 9E 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4732 base: 7773DE80 value: E9 7B 74 A0 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 77762BA0 value: E9 EB 37 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 77762DE0 value: E9 5B 38 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771A8B60 value: E9 9B 84 D6 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771B37E0 value: E9 BB D8 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771AF3E0 value: E9 2B 31 D6 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771B20B0 value: E9 BB 04 D6 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771B3130 value: E9 8B E0 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 771B3140 value: E9 4B E1 D5 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 6F785340 value: E9 AB C3 78 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 6F743520 value: E9 BB E2 7C 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 6FC03FF0 value: E9 AB E0 30 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 6FBB5720 value: E9 3B CA 35 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 6FB82B30 value: E9 6B F8 38 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 75CA58A0 value: E9 AB 19 27 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 75CA26B0 value: E9 5B F6 26 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 77762FB0 value: E9 1B 24 7B 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 6596 base: 7773DE80 value: E9 7B 74 7D 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 77762BA0 value: E9 EB 37 36 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 77762DE0 value: E9 5B 38 36 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771A8B60 value: E9 9B 84 91 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771B37E0 value: E9 BB D8 90 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771AF3E0 value: E9 2B 31 91 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771B20B0 value: E9 BB 04 91 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771B3130 value: E9 8B E0 90 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 771B3140 value: E9 4B E1 90 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 6F785340 value: E9 AB C3 33 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 6F743520 value: E9 BB E2 37 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 6FC03FF0 value: E9 AB E0 EB 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 6FBB5720 value: E9 3B CA F0 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 6FB82B30 value: E9 6B F8 F3 90 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 75CA58A0 value: E9 AB 19 E2 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 75CA26B0 value: E9 5B F6 E1 8A Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 77762FB0 value: E9 1B 24 36 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 7052 base: 7773DE80 value: E9 7B 74 38 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 77762BA0 value: E9 EB 37 70 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 77762DE0 value: E9 5B 38 70 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771A8B60 value: E9 9B 84 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771B37E0 value: E9 BB D8 CA 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771AF3E0 value: E9 2B 31 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771B20B0 value: E9 BB 04 CB 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771B3130 value: E9 8B E0 CA 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 771B3140 value: E9 4B E1 CA 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 6F785340 value: E9 AB C3 6D 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 6F743520 value: E9 BB E2 71 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 6FC03FF0 value: E9 AB E0 25 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 6FBB5720 value: E9 3B CA 2A 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 6FB82B30 value: E9 6B F8 2D 91 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 75CA58A0 value: E9 AB 19 1C 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 75CA26B0 value: E9 5B F6 1B 8B Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 77762FB0 value: E9 1B 24 70 89 Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeMemory written: PID: 4832 base: 7773DE80 value: E9 7B 74 72 89 Jump to behavior
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 3720 -> 49707
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00407020 GetModuleHandleA,SetLastError,CreateMutexA,GetLastError,ExitThread,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,lstrcatA,GetTempPathA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetTickCount,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetFolderPathA,lstrcatA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,GetExitCodeThread,15_2_00407020
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to compare user and computer (likely to detect sandboxes)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess,15_2_00404FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess,16_2_001C4FB0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpy,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess,18_2_02A74FB0
            Found evasive API chain (may stop execution after checking mutex)
            Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_16-8308
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_15-2908
            Found evasive API chain (may stop execution after checking system information)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: NtQuerySystemInformation,DecisionNodes,ExitProcess
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
            Source: C:\Windows\SysWOW64\mspaint.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-7371
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-7237
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 9.8 %
            Source: C:\Windows\SysWOW64\calc.exeAPI coverage: 2.6 %
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI coverage: 5.8 %
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeAPI coverage: 1.7 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeAPI coverage: 1.6 %
            Source: C:\Windows\SysWOW64\calc.exe TID: 2380Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exe TID: 6428Thread sleep time: -195000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040440B lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,15_2_0040440B
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00408020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,wsprintfA,DeleteFileA,FindNextFileA,FindClose,15_2_00408020
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405C20 FindFirstFileA,SetFileAttributesA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,15_2_00405C20
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00403820 lstrcatA,FindFirstFileA,StrRChrA,lstrcpynA,lstrcatA,StrStrIA,lstrcpyA,lstrlenA,FindNextFileA,FindClose,15_2_00403820
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404370 SHGetFolderPathA,wsprintfA,lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlenA,lstrlenA,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,15_2_00404370
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,15_2_00405D10
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_004089D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlenA,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,15_2_004089D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00403980 SHGetFolderPathA,lstrcatA,FindFirstFileA,lstrlenA,StrRChrA,lstrcpynA,lstrcatA,FindNextFileA,FindClose,15_2_00403980
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404D90 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,StrStrA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,15_2_00404D90
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,15_2_00405D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C8020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,FindCloseChangeNotification,wsprintfA,DeleteFileA,FindNextFileA,FindClose,16_2_001C8020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5C20 FindFirstFileA,SetFileAttributesA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,16_2_001C5C20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,16_2_001C5D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4370 SHGetFolderPathA,wsprintfA,lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlenA,lstrlenA,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,16_2_001C4370
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C89D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlenA,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,16_2_001C89D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C440B lstrlenA,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcatA,wsprintfA,FindFirstFileA,lstrcmpA,lstrcpyA,lstrlenA,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,16_2_001C440B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C3820 lstrcatA,FindFirstFileA,StrRChrA,lstrcpynA,lstrcatA,StrStrIA,lstrcpyA,lstrlenA,FindNextFileA,FindClose,16_2_001C3820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,16_2_001C5D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4D90 GetEnvironmentVariableA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcatA,StrStrA,lstrcpyA,lstrcatA,MoveFileExA,FindNextFileA,FindClose,16_2_001C4D90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C3980 SHGetFolderPathA,lstrcatA,FindFirstFileA,lstrlenA,StrRChrA,lstrcpynA,lstrcatA,FindNextFileA,FindClose,16_2_001C3980
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,16_2_0041F130
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_0309F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,17_2_0309F130
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A78020 wsprintfA,FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,wsprintfA,DeleteFileA,FindNextFileA,FindClose,18_2_02A78020
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75C20 FindFirstFileA,SetFileAttributesA,lstrcpy,lstrcat,MoveFileExA,FindNextFileA,FindClose,18_2_02A75C20
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A73820 lstrcat,FindFirstFileA,StrRChrA,lstrcpyn,lstrcat,StrStrIA,lstrcpy,lstrlen,FindNextFileA,FindClose,18_2_02A73820
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A7440B lstrlen,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcat,wsprintfA,FindFirstFileA,lstrcmp,lstrcpy,lstrlen,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,18_2_02A7440B
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A73980 SHGetFolderPathA,lstrcat,FindFirstFileA,lstrlen,StrRChrA,lstrcpyn,lstrcat,FindNextFileA,FindClose,18_2_02A73980
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74D90 GetEnvironmentVariableA,lstrcat,lstrcat,lstrcat,lstrcpy,lstrcat,FindFirstFileA,lstrcpy,lstrcat,StrStrA,lstrcpy,lstrcat,MoveFileExA,FindNextFileA,FindClose,18_2_02A74D90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75D90 FindFirstFileA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,Process32Next,FindNextFileA,18_2_02A75D90
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A789D0 SHGetSpecialFolderPathA,GetComputerNameA,CharLowerA,lstrlen,wsprintfA,FindFirstFileA,CharLowerA,wsprintfA,wsprintfA,MoveFileA,GetLastError,FindNextFileA,FindClose,18_2_02A789D0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75D10 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,18_2_02A75D10
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74370 SHGetFolderPathA,wsprintfA,lstrlen,GetDriveTypeA,wsprintfA,SetFileAttributesA,DeleteFileA,CreateFileA,CloseHandle,DeleteFileA,GetVolumeInformationA,lstrcat,wsprintfA,FindFirstFileA,lstrcmp,lstrcpy,lstrlen,wsprintfA,wsprintfA,MoveFileA,wsprintfA,wsprintfA,StrStrA,SetFileAttributesA,DeleteFileA,StrStrA,StrStrA,StrStrA,StrStrA,StrStrA,GetFileAttributesA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,lstrlen,lstrlen,MultiByteToWideChar,SetFileAttributesA,SetFileAttributesA,FindNextFileA,wsprintfA,SetFileAttributesA,DeleteFileA,CopyFileA,SetFileAttributesA,CreateFileA,18_2_02A74370
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02ABF130 SetFileAttributesA,memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,18_2_02ABF130
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_0040F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,19_2_0040F130
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_0337F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,20_2_0337F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_0090F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,21_2_0090F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F0F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,22_2_00F0F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B7F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,23_2_00B7F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_0097F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,24_2_0097F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010EF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,25_2_010EF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_0168F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,26_2_0168F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E9F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,27_2_00E9F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D3F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,28_2_00D3F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_0141F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,29_2_0141F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014FF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,30_2_014FF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_0098F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,31_2_0098F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FDF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,32_2_00FDF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015AF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,33_2_015AF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F8F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,34_2_00F8F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,35_2_006DF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006DF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,36_2_006DF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_0114F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,37_2_0114F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F1F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,38_2_00F1F130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00ACF130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,39_2_00ACF130
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E6F130 memset,memset,lstrcpyA,SetCurrentDirectoryA,FindFirstFileA,CoInitialize,_snprintf,FindNextFileA,strncmp,strstr,_snprintf,FindNextFileA,FindClose,40_2_00E6F130
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041F9E0 memset,GetLogicalDriveStringsA,lstrcatA,lstrcatA,16_2_0041F9E0
            Source: C:\Windows\SysWOW64\calc.exeThread delayed: delay time: 50000Jump to behavior
            Source: mspaint.exe, 00000012.00000002.2550014931.0000000002C4A000.00000004.00000020.00020000.00000000.sdmp, mspaint.exe, 00000012.00000002.2550014931.0000000002BF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI call chain: ExitProcess graph end nodegraph_15-2910
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI call chain: ExitProcess graph end nodegraph_15-3316
            Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_16-8309
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found API chain indicative of debugger detection
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_00415A20 LdrEnumerateLoadedModules,CloseHandle,CreateThread,CloseHandle,CreateThread,CloseHandle,16_2_00415A20
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040265D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040265D
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040B186 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,0_2_0040B186
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00450000 mov eax, dword ptr fs:[00000030h]0_2_00450000
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00450000 mov eax, dword ptr fs:[00000030h]0_2_00450000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004135B0 mov eax, dword ptr fs:[00000030h]16_2_004135B0
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_030935B0 mov eax, dword ptr fs:[00000030h]17_2_030935B0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB35B0 mov eax, dword ptr fs:[00000030h]18_2_02AB35B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_004035B0 mov eax, dword ptr fs:[00000030h]19_2_004035B0
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_033735B0 mov eax, dword ptr fs:[00000030h]20_2_033735B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_009035B0 mov eax, dword ptr fs:[00000030h]21_2_009035B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F035B0 mov eax, dword ptr fs:[00000030h]22_2_00F035B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B735B0 mov eax, dword ptr fs:[00000030h]23_2_00B735B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_009735B0 mov eax, dword ptr fs:[00000030h]24_2_009735B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E35B0 mov eax, dword ptr fs:[00000030h]25_2_010E35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_016835B0 mov eax, dword ptr fs:[00000030h]26_2_016835B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E935B0 mov eax, dword ptr fs:[00000030h]27_2_00E935B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D335B0 mov eax, dword ptr fs:[00000030h]28_2_00D335B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_014135B0 mov eax, dword ptr fs:[00000030h]29_2_014135B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F35B0 mov eax, dword ptr fs:[00000030h]30_2_014F35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_009835B0 mov eax, dword ptr fs:[00000030h]31_2_009835B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD35B0 mov eax, dword ptr fs:[00000030h]32_2_00FD35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A35B0 mov eax, dword ptr fs:[00000030h]33_2_015A35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F835B0 mov eax, dword ptr fs:[00000030h]34_2_00F835B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D35B0 mov eax, dword ptr fs:[00000030h]35_2_006D35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D35B0 mov eax, dword ptr fs:[00000030h]36_2_006D35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_011435B0 mov eax, dword ptr fs:[00000030h]37_2_011435B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F135B0 mov eax, dword ptr fs:[00000030h]38_2_00F135B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC35B0 mov eax, dword ptr fs:[00000030h]39_2_00AC35B0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E635B0 mov eax, dword ptr fs:[00000030h]40_2_00E635B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404FB0 EntryPoint,CreateThread,GetModuleFileNameW,GetModuleHandleA,GetProcAddress,GetCommandLineA,StrStrA,GetCommandLineA,StrStrA,SetLastError,CreateMutexA,GetLastError,ExitProcess,GetModuleFileNameA,CreateThread,GetProcessHeap,SHGetFolderPathW,lstrcpyW,lstrcatW,lstrcpyA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrcatW,CreateProcessW,FindResourceA,LoadResource,SizeofResource,LockResource,VirtualProtect,GetModuleFileNameW,ExitProcess,15_2_00404FB0
            Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\calc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\mspaint.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00409084 SetUnhandledExceptionFilter,0_2_00409084
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040D08B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0040D08B
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040265D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040265D
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00405E5E _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00405E5E

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 1F0000 protect: page read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\calc.exe base: 3070000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3360000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3370000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 900000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1060000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1380000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1680000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1340000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 8D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1450000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 2F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1140000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1160000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1110000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1250000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 600000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 890000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 850000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1060000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 990000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1030000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1150000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 2B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1210000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 13B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 920000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 5C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1530000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1510000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 790000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 300000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1010000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 800000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 830000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 950000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1320000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1470000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\calc.exe base: 3080000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\calc.exe base: 3090000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory allocated: C:\Windows\SysWOW64\mspaint.exe base: 2AB0000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject code into remote processes
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_00450E99 VirtualAlloc,CreateProcessA,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,Wow64GetThreadContext,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,0_2_00450E99
            Contains functionality to inject threads in other processes
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00407020 GetModuleHandleA,SetLastError,CreateMutexA,GetLastError,ExitThread,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,lstrcatA,GetTempPathA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetTickCount,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetFolderPathA,lstrcatA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,GetExitCodeThread,15_2_00407020
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00405AD0 GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CreateRemoteThread,WaitForSingleObject,15_2_00405AD0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00404AA0 VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,15_2_00404AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C5AD0 GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CreateRemoteThread,WaitForSingleObject,16_2_001C5AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C7020 GetModuleHandleA,SetLastError,CreateMutexA,GetLastError,ExitThread,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,lstrcatA,GetTempPathA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,GetTickCount,lstrlenA,lstrcatA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,SHGetFolderPathA,lstrcatA,CreateProcessA,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,GetExitCodeThread,16_2_001C7020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C4AA0 VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,16_2_001C4AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_004142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,16_2_004142E0
            Source: C:\Windows\SysWOW64\calc.exeCode function: 17_2_030942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,17_2_030942E0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A74AA0 VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,18_2_02A74AA0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A75AD0 GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CreateRemoteThread,WaitForSingleObject,18_2_02A75AD0
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A77020 GetModuleHandleA,SetLastError,CreateMutexA,GetLastError,RtlExitUserThread,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetTempPathA,lstrcat,GetTempPathA,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,GetTickCount,lstrlen,lstrcat,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,lstrcpy,SHGetFolderPathA,lstrcat,CreateProcessA,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,GetExitCodeThread,18_2_02A77020
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02AB42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,18_2_02AB42E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 19_2_004042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,19_2_004042E0
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: 20_2_033742E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,20_2_033742E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 21_2_009042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,21_2_009042E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 22_2_00F042E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,22_2_00F042E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 23_2_00B742E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,23_2_00B742E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 24_2_009742E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,24_2_009742E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 25_2_010E42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,25_2_010E42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 26_2_016842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,26_2_016842E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 27_2_00E942E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,27_2_00E942E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 28_2_00D342E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,28_2_00D342E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 29_2_014142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,29_2_014142E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 30_2_014F42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,30_2_014F42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 31_2_009842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,31_2_009842E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 32_2_00FD42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,32_2_00FD42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 33_2_015A42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,33_2_015A42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 34_2_00F842E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,34_2_00F842E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 35_2_006D42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,35_2_006D42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 36_2_006D42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,36_2_006D42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 37_2_011442E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,37_2_011442E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 38_2_00F142E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,38_2_00F142E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 39_2_00AC42E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,39_2_00AC42E0
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: 40_2_00E642E0 VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,GetLastError,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,CloseHandle,40_2_00E642E0
            Creates a thread in another existing process (thread injection)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Windows\SysWOW64\svchost.exe EIP: 1C7810Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Windows\SysWOW64\calc.exe EIP: 3070E8CJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeThread created: C:\Windows\SysWOW64\mspaint.exe EIP: 2A7BBE0Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe EIP: 3375C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 905C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: F05C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: B75C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 975C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 10E5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 1685C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: E95C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: D35C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 1415C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 14F5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 985C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: FD5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 15A5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: F85C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 6D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 6D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: 1145C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: F15C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: AC5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe EIP: E65C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1275C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1165C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 825C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1365C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1255C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 895C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: CA5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1205C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: C05C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: AE5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 6D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: C05C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: A65C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: B85C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1065C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 7D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: ED5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 995C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 11D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1155C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 15E5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1365C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 12B5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 6D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: BD5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: FD5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 10D5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 10C5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: FD5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: BD5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 13B5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 985C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: B55C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 11A5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 14A5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1535C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1515C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: C85C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 825C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: C95C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: F95C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: B85C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1205C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: ED5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 805C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: DA5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 10E5C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 955C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1475C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 1285C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: A85C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 415C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 3095C50Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeThread created: unknown EIP: 2AB5C50Jump to behavior
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtTerminateThread: Direct from: 0x77757B2EJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtClose: Direct from: 0x77762B6C
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtAdjustPrivilegesToken: Direct from: 0x77762EACJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1C0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2A70000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3370000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 900000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B70000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 970000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1680000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D30000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1410000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14F0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F80000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1140000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F10000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AC0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E60000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1270000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1160000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1250000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 890000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: CA0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AE0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A60000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1060000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 990000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1150000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10D0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10C0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 13B0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B50000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14A0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1530000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1510000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C80000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F90000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 800000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DA0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 950000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1470000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1280000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A80000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 410000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 3090000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2AB0000 value starts with: 4D5AJump to behavior
            Searches for specific processes (likely to inject)
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_00408200 StrCmpNIA,StrCmpNIA,PathRemoveArgsA,PathFindFileNameA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,15_2_00408200
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_001C8200 StrCmpNIA,StrCmpNIA,PathRemoveArgsA,PathFindFileNameA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,FindCloseChangeNotification,16_2_001C8200
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: 18_2_02A78200 StrCmpNIA,StrCmpNIA,PathRemoveArgsA,PathFindFileNameA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,18_2_02A78200
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 1F0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 3070000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 3070D4CJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2A70000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3360000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 3370000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 900000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: EF0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B70000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 970000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1060000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1380000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1680000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D30000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E90000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D20000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D30000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1410000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1340000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14F0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 8D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FC0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1450000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DB0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 2F0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B90000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1140000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C20000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F10000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9F0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AC0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E50000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E60000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1260000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1270000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1160000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1120000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1110000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1250000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 600000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 890000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: CA0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F70000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 850000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 210000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A30000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A50000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A60000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: AE0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E70000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1060000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: D20000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 940000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 990000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1030000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1150000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1320000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 15E0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1350000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1360000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 2B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 6D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 7A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F20000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A90000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BD0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1210000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 13B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 920000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 980000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 5C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B50000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 11A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: FB0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 14A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12A0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1530000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 12F0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1510000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 790000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 300000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 820000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: C90000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: E30000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: F90000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B70000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1010000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1200000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9C0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: ED0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 3B0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 800000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: B00000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DA0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: BA0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 10E0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 830000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 950000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1320000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1470000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: DB0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 1280000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: 9D0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe base: A80000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 410000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 3080000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 3090000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2AA0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeMemory written: C:\Windows\SysWOW64\mspaint.exe base: 2AB0000Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040B660 GetForegroundWindow,ShellExecuteExW,15_2_0040B660
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\SysWOW64\svchost.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeProcess created: C:\Users\user\Desktop\LisectAVT_2403002C_106.exe "C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\mspaint.exe "C:\Windows\SysWOW64\mspaint.exe"Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040B6D0 AllocateAndInitializeSid,LookupAccountSidW,NetLocalGroupAddMembers,FreeSid,15_2_0040B6D0
            Source: bWgyuzlQlr.exe, 00000015.00000002.2629996422.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000015.00000000.2028354788.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000016.00000000.2029053575.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: LisectAVT_2403002C_106.exe, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: Progman
            Source: bWgyuzlQlr.exe, 00000015.00000002.2629996422.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000015.00000000.2028354788.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000016.00000000.2029053575.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
            Source: LisectAVT_2403002C_106.exe, 00000000.00000002.1952052502.0000000000470000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: %s\*.*%s\%s%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup%s\Documents and Settings\All users\Start Menu\Programs\Startup\Microsoft\Windows\UpdateSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunOnce%s\Recycler%s\%s%s\*.*%s\%s%s\%s%appdata%%temp%%windir%%systemroot%%programfiles%%root%%programfiles%\Common Files\*\*.exe%appdata%\Microsoft\Windows\*.exeIsWow64Processkernel32.dll\\WindowsIdWindowsIdMicrosoft\Windows\%s%s\%s%s\%s\%s.exe:Zone.Identifier:Zone.Identifier.quarantined"%s" -shellShell"%s" -bind\userinit.exeexplorer.exe%s\%sMicrosoft\Windows\%%s\%s%s\%s\%s.exeitergtdw11qyucgHGGDsggditergtdw11qyucgHGGDsggdSeShutdownPrivilegeWindows critical error, require rebootShellProgman"%s" -shellWindows UpdateWindows UpdateWindows Update"%s" -shellWindows UpdateWindows UpdateSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminConsentPromptBehaviorUserEnableLUArunas-aav_startSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUA?]=@EJD]CF?];?E3I5F9K]CF?]9>:3=8@;2]CF?]6K;9JII37]CF?]JBBF7<=9@]CF?]G36>?884;]CF?]JI?E?JC2A]CF?]@462C5A<F]CF?]K984F?E:7]CF?];FA@@7D?4]CF?]2@JJ=HJI5]CF?]<GFA5DEH9]CF?]DA8A6>HB<]CF?]K9;5H<A2K]CF?]54=9>7<43]CF?]JF8JA<9G=]CF?]DC@3AC2?>]CF?]K448JIH72]CF?]=84A@8G=J]CF?]>B;44EK5F]CF?];E9IC:@E3]CF?]6@:7;8;I=]CF?]>>9;C2C::]CF?]=FC845BH<]CF?]25<I=6?@5]CF?]=F>KH=9F>]CF?]DA5D2K;2;]CF?]CKJJ;27G<]CF?]@CG;H4GBE]CF?]?:<6;B::D]CF?]F9HF>7I9E]CF?]8K?K6?FG6]CF?]:A54FKC3;]CF?]2I:E57=4C]CF?]834<;CCKF]CF?]<?EC6;K<B]CF?]DCI<H<=<D]CF?]<?JDK2:;G]CF?]J;6F2E:98]CF?]K87G79E=:]CF?]946J>2EF=]CF?]I:2392@::]CF?]@JD2B4I3:]CF?]C2B:>7636]CF?]<3HFI?E=6]CF?]I4FJ8K?><]CF?]7I2KF5B:G]CF?]<6B6?=9D4]CF?]9AF7<5CBC]CF?]J7I>;>3A5]CF?]H32<C95B6]CF?]7I282A34H]CF?]3<8JHGEDI]CF?]K6CGHAKC2]CF?]2<J;H<<B;]CF?]96:J=>CF4]CF?]J@E96A58K]CF?];B=E77=9I]CF?]8376=35;K]CF?]D;<8F?EF>]CF?]=I3=F@CJK]CF?]<9BCB@B@6]CF?]=F;;62KF?]CF?]G@E;D3BI:]CF?]H9F<A;<6E]CF?];DA@H>ID=]CF?]39D3B;JD9]CF?]6A35J@C?E]CF?]:4=42<2;5]CF?]=3I7B74I;]CF?]K5I2AAF7C]CF?]HIGHD287;]CF?]A93?5G5DJ]CF?]8I=E?38<D]CF?];G63=7IBD]CF?]47BBI75F7]CF?]3;25G;75I]CF?]88IG>;H8J]CF?]2G63:H537]CF?];C24E@4GI]CF?]DC43CE6E3]CF?]E6<H<CD==]CF?]93F<GA:C8]CF?]CA3KAI:J8]CF?]45E4=I:4I]CF?]4;HI7>:>I]CF?]D23B2FBIK]CF?]JD>:=IB3A]CF?]@24=K6>J9]CF?]D@<;CD@86]CF?]CB3FA>:?I]CF?]ED>56BAIK]CF?]FB6F9=A3@]CF?]@H;33A52>]CF?]K;25EDGC5]CF?]4FDG:64BD]CF?]A=C3492?5]CF?]KBA<G@=B4]CF?]B<E;C=I:=]CF?]IJI33FI9H]CF?]??KJ<F;EJ]CF?]6=?JEJ5>2]4@>?]>C;HBCG96]4@>?]?>5=B?DBG]4@>?]6@I9I=I2I]4@>?]<AJA>9@E5]4@>?]:68GJ23A>]4@>?]GGDA3;3D;]4@>?]C6;E@37DK]4@>?]<J9@:>F28]4@>?]?7;>C@=JE]4@>?]K7=FGFF6K]4@>?]<CA;AJFGC]4@>?];:;G@::B7]4@>?]ADKA?<3:3]4@>?]K9=9G87A;]4@>?]>G9CCA323]4@>?]IB3H<8E=:]4@>?]JJ<K6;2D=]4@>?]F27G<29IB]4@>?]@??2K?7A:]4@>?]3G;3J8<9B]4@>?]46=F;?ED6]4@>?]?@E92FH69]4@>?]377:9I;I@]4@>?]@?BI=D;DF]4@>?]?K63K29:@]4@>?]J=3@EB;><]4@>?]4346=FG?7]4@>?]8FCG?CE9:]4@>?]4
            Source: mspaint.exe, 00000012.00000002.2507919205.0000000002A70000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: %s\*.*%s\%s%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup%s\Documents and Settings\All users\Start Menu\Programs\Startup\Microsoft\Windows\UpdateSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunOnceSoftware\Microsoft\Windows\CurrentVersion\RunSoftware\Microsoft\Windows\CurrentVersion\RunOnce%s\Recycler%s\%s%s\*.*%s\%s%s\%s%appdata%%temp%%windir%%systemroot%%programfiles%%root%%programfiles%\Common Files\*\*.exe%appdata%\Microsoft\Windows\*.exeIsWow64Processkernel32.dll\\WindowsIdWindowsIdMicrosoft\Windows\%s%s\%s%s\%s\%s.exe:Zone.Identifier:Zone.Identifier.quarantined"%s" -shellShell"%s" -bind\userinit.exeexplorer.exe%s\%sMicrosoft\Windows\%%s\%s%s\%s\%s.exeitergtdw11qyucgHGGDsggditergtdw11qyucgHGGDsggdSeShutdownPrivilegeWindows critical error, require rebootShellProgman"%s" -shellWindows UpdateWindows UpdateWindows Update"%s" -shellWindows UpdateWindows UpdateSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminConsentPromptBehaviorUserEnableLUArunas-aav_startSOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUAn.lotys.run.jntbxduhz.run.hmiblgoja.run.ezjhyxxbf.run.yqqufklho.run.vbemnggcj.run.yxntnyrap.run.oceardpku.run.zhgcuntif.run.jupoofsnc.run.aoyylwyxd.run.kvupdstwh.run.spgpemwqk.run.zhjdwkpaz.run.dclhmfkcb.run.yugypkhvl.run.srobpranm.run.zccgyxwfa.run.lgcpogvly.run.mqjcctzdu.run.jthxriotb.run.eoifjgjxl.run.mmhjrarii.run.lurgcdqwk.run.adkxlenod.run.lumzwlhum.run.spdsazjaj.run.rzyyjafvk.run.orvjwcvqt.run.nikejqiis.run.uhwumfxht.run.gznzenuve.run.ipdcuzrbj.run.axitdflcr.run.gbckjrrzu.run.kntrejzkq.run.srxkwklks.run.knyszaijv.run.yjeuatihg.run.zgfvfhtli.run.hceymatul.run.xiabhaoii.run.oysaqcxbi.run.raqimfebe.run.kbwuxntle.run.xcuygznmk.run.fxazudqiv.run.keqenlhsc.run.hpufkdrqr.run.yfxmjmbpd.run.wbakrhdqe.run.fxagapbcw.run.bkgywvtsx.run.zervwpzra.run.akyjwkkqj.run.heiylmruc.run.yothepdgz.run.jqltfflhx.run.gbfelbdjz.run.sjkguntum.run.lxbluoryz.run.khqrqoqoe.run.lujjeazun.run.votjsbqxi.run.whukpjket.run.jspowmxsl.run.bhsbqjysh.run.epbdyornt.run.iclcakajd.run.lbxfqfcxj.run.zdxappufr.run.wxvwsagfj.run.phbndvdsy.run.gxltnbgks.run.jveblfxqs.run.cfqqxfduf.run.bjadvjfdx.run.ggxvmjwgy.run.avebiwdbf.run.jractocvx.run.srcbrtetb.run.tekwkrsll.run.hbukvpirg.run.rpbzpxiyg.run.cdtclxicx.run.cjwxfmimx.run.sabqauqxz.run.ysmilxqbp.run.oaclzemyh.run.sokjrsoge.run.rqbupminx.run.tsmdeqpxz.run.uqeuhlpbo.run.owjbbpdam.run.zjadtsvrd.run.cusviecqs.run.plrbchand.run.zqpkvolqc.run.qktjrlxil.run.xyxbbuxhw.run.nnzykujty.run.elnytydma.comn.mrjwqrvhe.comn.nmdlqnsqv.comn.eoxhxlxax.comn.kpypmhotd.comn.iegvyabpm.comn.vvspbjbsj.comn.rejtobfsz.comn.kyhoimuag.comn.nfjmrolyt.comn.zfluvuuez.comn.krpjpyuvr.comn.jijvoiiqf.comn.pszpnkbib.comn.zhlhvgfpj.comn.mvhrrpbab.comn.xqbwkgtli.comn.yykzejasl.comn.uafvkahxq.comn.onnaznfpi.comn.bvjbygkhq.comn.celujntse.comn.nothauweh.comn.bffihxjxo.comn.onqxlsjsu.comn.nzebzahio.comn.ylbotqjmk.comn.cbceluvnf.comn.gurvnrthi.comn.c
            Source: bWgyuzlQlr.exe, 00000015.00000002.2629996422.0000000000F01000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000015.00000000.2028354788.0000000000F00000.00000002.00000001.00040000.00000000.sdmp, bWgyuzlQlr.exe, 00000016.00000000.2029053575.00000000013C0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: GetLocaleInfoA,0_2_0040A490
            Source: C:\Windows\SysWOW64\svchost.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,16_2_0041B480
            Source: C:\Windows\SysWOW64\calc.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,17_2_0309B480
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,18_2_02ABB480
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,19_2_0040B480
            Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,20_2_0337B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,21_2_0090B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,22_2_00F0B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,23_2_00B7B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,24_2_0097B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,25_2_010EB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,26_2_0168B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,27_2_00E9B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,28_2_00D3B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,29_2_0141B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,30_2_014FB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,31_2_0098B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,32_2_00FDB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,33_2_015AB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,34_2_00F8B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,35_2_006DB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,36_2_006DB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,37_2_0114B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,38_2_00F1B480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,39_2_00ACB480
            Source: C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exeCode function: memset,lstrcpyA,lstrcpyA,HeapAlloc,GetVersionExA,lstrcpyA,HeapAlloc,strstr,lstrlenA,lstrlenA,GetLocaleInfoA,lstrcmpA,GetLocaleInfoA,GetLocaleInfoA,lstrcpyA,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,HeapAlloc,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,_snprintf,lstrcpyA,_snprintf,_snprintf,??3@YAXPAX@Z,40_2_00E6B480
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 16_2_0041E880 memset,lstrlenA,_snprintf,CreateNamedPipeA,CreateNamedPipeA,CloseHandle,ConnectNamedPipe,GetLastError,CreateThread,CloseHandle,CreateNamedPipeA,16_2_0041E880
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040995C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0040995C
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040B880 GetUserNameW,NetUserGetInfo,NetApiBufferFree,15_2_0040B880
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 0_2_0040845B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0040845B
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: 15_2_0040B4F0 GetVersionExA,15_2_0040B4F0
            Source: C:\Windows\SysWOW64\mspaint.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Contains functionality to modify Windows User Account Control (UAC) settings
            Source: C:\Users\user\Desktop\LisectAVT_2403002C_106.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUA15_2_0040B540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUA16_2_001CB540
            Source: C:\Windows\SysWOW64\mspaint.exeCode function: RegSetValue: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemConsentPromptBehaviorAdminEnableLUA18_2_02A7B540

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		331
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            Credential API Hooking            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts3
            Command and Scripting Interpreter            		11
            Registry Run Keys / Startup Folder            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory21
            Peripheral Device Discovery            		Remote Desktop Protocol1
            Credential API Hooking            		2
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt2
            Bootkit            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager1
            Account Discovery            		SMB/Windows Admin Shares1
            Clipboard Data            		11
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Access Token Manipulation            		3
            Obfuscated Files or Information            		NTDS2
            File and Directory Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script713
            Process Injection            		41
            Software Packing            		LSA Secrets124
            System Information Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
            Registry Run Keys / Startup Folder            		1
            DLL Side-Loading            		Cached Domain Credentials1
            Network Share Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            File Deletion            		DCSync1
            Query Registry            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
            Masquerading            		Proc Filesystem221
            Security Software Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
            Virtualization/Sandbox Evasion            		/etc/passwd and /etc/shadow111
            Virtualization/Sandbox Evasion            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Access Token Manipulation            		Network Sniffing13
            Process Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd713
            Process Injection            		Input Capture1
            System Owner/User Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
            Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
            Hidden Files and Directories            		Keylogging1
            System Network Configuration Discovery            		Taint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
            Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers2
            Bootkit            		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481552 Sample: LisectAVT_2403002C_106.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 49 api.wipmania.com 2->49 51 n.yqqufklho.ru 2->51 53 13 other IPs or domains 2->53 81 Antivirus detection for URL or domain 2->81 83 Antivirus detection for dropped file 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 89 9 other signatures 2->89 9 LisectAVT_2403002C_106.exe 2->9         started        signatures3 87 Tries to detect the country of the analysis system (by using the IP) 49->87 process4 signatures5 91 Detected unpacking (changes PE section rights) 9->91 93 Detected unpacking (creates a PE file in dynamic memory) 9->93 95 Detected unpacking (overwrites its own PE header) 9->95 97 13 other signatures 9->97 12 LisectAVT_2403002C_106.exe 2 9->12         started        process6 file7 45 C:\Users\user\AppData\Roaming\c731200, PE32 12->45 dropped 47 C:\Users\user\...\c731200:Zone.Identifier, ASCII 12->47 dropped 113 Writes to foreign memory regions 12->113 115 Allocates memory in foreign processes 12->115 117 Creates a thread in another existing process (thread injection) 12->117 119 Injects a PE file into a foreign processes 12->119 16 svchost.exe 2 3 12->16         started        20 LisectAVT_2403002C_106.exe 3 12->20         started        22 calc.exe 1 12->22         started        signatures8 process9 file10 37 C:\Users\user\AppData\...xplorer.exe, PE32 16->37 dropped 39 C:\Users\...xplorer.exe:Zone.Identifier, ASCII 16->39 dropped 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->61 63 Found evasive API chain (may stop execution after checking mutex) 16->63 65 Extracts suspicious resources from PE file (packer detected) 16->65 79 6 other signatures 16->79 24 mspaint.exe 1 14 16->24         started        67 Writes to foreign memory regions 20->67 69 Allocates memory in foreign processes 20->69 71 Creates a thread in another existing process (thread injection) 20->71 29 WmiPrvSE.exe 20->29 injected 31 bWgyuzlQlr.exe 20->31 injected 33 bWgyuzlQlr.exe 20->33 injected 35 18 other processes 20->35 73 Contains functionality to access PhysicalDrive, possible boot sector overwrite 22->73 75 Contains functionality to infect the boot sector 22->75 77 Contains functionality to inject threads in other processes 22->77 signatures11 process12 dnsIp13 55 api.wipmania.com 127.0.0.1 unknown unknown 24->55 57 n.jntbxduhz.ru 195.133.45.237, 3720, 49707 SPD-NETTR Russian Federation 24->57 59 2 other IPs or domains 24->59 41 C:\Users\user\AppData\Roaming\...\Hsnpnw.exe, PE32 24->41 dropped 43 C:\Users\user\...\Hsnpnw.exe:Zone.Identifier, ASCII 24->43 dropped 99 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->99 101 Extracts suspicious resources from PE file (packer detected) 24->101 103 Contains functionality to access PhysicalDrive, possible boot sector overwrite 24->103 111 7 other signatures 24->111 105 Contains functionality to infect the boot sector 29->105 107 Contains functionality to inject threads in other processes 29->107 109 Found direct / indirect Syscall (likely to bypass EDR) 31->109 file14 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002C_106.exe100%AviraTR/Patched.Ren.Gen
            LisectAVT_2403002C_106.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\c731200100%AviraTR/Patched.Ren.Gen
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe100%AviraTR/Patched.Ren.Gen
            C:\Users\user\AppData\Roaming\Update\Explorer.exe100%AviraTR/Patched.Ren.Gen
            C:\Users\user\AppData\Roaming\c731200100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Update\Explorer.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.google.com100%URL Reputationmalware
            http://api.wipmania.com/LtU0%Avira URL Cloudsafe
            http://api.wipmania.com/0%Avira URL Cloudsafe
            http://www.google.com.exec7312009EEAi0%Avira URL Cloudsafe
            http://www.google.comc731200U0%Avira URL Cloudsafe
            http://api.wipmania.com/N0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            n.aoyylwyxd.ru
            		204.95.99.243
            		truefalse
              		unknown
              n.zhjdwkpaz.ru
              		204.95.99.243
              		truefalse
                		unknown
                n.spgpemwqk.ru
                		204.95.99.243
                		truefalse
                  		unknown
                  n.zhgcuntif.ru
                  		204.95.99.243
                  		truefalse
                    		unknown
                    n.jntbxduhz.ru
                    		195.133.45.237
                    		truefalse
                      		unknown
                      n.ezjhyxxbf.ru
                      		204.95.99.243
                      		truefalse
                        		unknown
                        n.kvupdstwh.ru
                        		204.95.99.243
                        		truefalse
                          		unknown
                          n.yxntnyrap.ru
                          		204.95.99.243
                          		truefalse
                            		unknown
                            n.jupoofsnc.ru
                            		204.95.99.243
                            		truefalse
                              		unknown
                              n.lotys.ru
                              		194.58.112.165
                              		truefalse
                                		unknown
                                n.vbemnggcj.ru
                                		204.95.99.243
                                		truefalse
                                  		unknown
                                  n.oceardpku.ru
                                  		204.95.99.243
                                  		truefalse
                                    		unknown
                                    api.wipmania.com
                                    		127.0.0.1
                                    		truetrue
                                      		unknown
                                      n.yqqufklho.ru
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        n.hmiblgoja.ru
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          http://www.google.comLisectAVT_2403002C_106.exe, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000010.00000002.2553969446.0000000004400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, calc.exe, calc.exe, 00000011.00000002.2507923478.0000000003070000.00000040.00000400.00020000.00000000.sdmp, mspaint.exe, mspaint.exe, 00000012.00000002.2507919205.0000000002A70000.00000040.00000400.00020000.00000000.sdmptrue
                                          • URL Reputation: malware
                                          		unknown
                                          http://api.wipmania.com/bWgyuzlQlr.exe, 00000028.00000002.2531260969.0000000000E60000.00000040.00000400.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://api.wipmania.com/LtUmspaint.exe, 00000012.00000002.2550014931.0000000002BF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://api.wipmania.com/Nmspaint.exe, 00000012.00000002.2550014931.0000000002BF7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.google.com.exec7312009EEAiLisectAVT_2403002C_106.exe, 00000000.00000002.1952052502.0000000000470000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, LisectAVT_2403002C_106.exe, 0000000F.00000002.1954814037.0000000002640000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2553969446.0000000004400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, mspaint.exe, 00000012.00000002.2507919205.0000000002A70000.00000040.00000400.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://api.wipmania.com/lmspaint.exe, 00000012.00000002.2550014931.0000000002C1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.google.comc731200Ucalc.exe, 00000011.00000002.2507923478.0000000003070000.00000040.00000400.00020000.00000000.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            195.133.45.237
                                            		n.jntbxduhz.ruRussian Federation
                                            		57844SPD-NETTRfalse
                                            194.58.112.165
                                            		n.lotys.ruRussian Federation
                                            		197695AS-REGRUfalse
                                            204.95.99.243
                                            		n.aoyylwyxd.ruUnited States
                                            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                            Private

                                            IP
                                            127.0.0.1

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1481552
                                            Start date and time:2024-07-25 10:57:08 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 57s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:20
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:21
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:LisectAVT_2403002C_106.exe
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winEXE@11/7@15/4
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 83
                                            • Number of non-executed functions: 361
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
                                            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • VT rate limit hit for: LisectAVT_2403002C_106.exe

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            06:39:08API Interceptor1x Sleep call for process: calc.exe modified
                                            06:39:46API Interceptor13x Sleep call for process: mspaint.exe modified
                                            12:39:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Explorer Manager C:\Users\user\AppData\Roaming\Update\Explorer.exe
                                            12:39:19AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Explorer Manager C:\Users\user\AppData\Roaming\Update\Explorer.exe
                                            12:39:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Hsnpnw C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe
                                            12:39:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Hsnpnw C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            194.58.112.165TT-SWIFT-Schindler.exeGet hashmaliciousFormBookBrowse
                                            • www.korabli.site/m10e/
                                            E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.vistservice.online/my26/?Ztx=uL8dja8oR16qhfzef/riJwBEWy45bTmDw0+yP84R0l31DREdvm7ExGelPKSbimol8Hgy&j4MX=i6uDZ
                                            E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.vistservice.online/my26/?X6Y=uL8dja8oR16qhfzef/riJwBEWy45bTmDw0+yP84R0l31DREdvm7ExGelPKSbimol8Hgy&7nHtvp=M4e4IZLPatqHxv
                                            Ziraat_Bankasi_Swift_Mesaji.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.vistservice.online/my26/?q4=uL8dja8oR16qhfzef/riJwBEWy45bTmDw0+yP84R0l31DREdvm7ExGelPKSbimol8Hgy&5jdh=DPxH-Ti82
                                            E-dekont.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • www.vistservice.online/my26/?6lo8sx=KtF83LWPF&_fvPp=uL8dja8oR16qhfzef/riJwBEWy45bTmDw0+yP84R0l31DREdvm7ExGelPKSbimol8Hgy
                                            RFQ1123031240058-pdf-.exeGet hashmaliciousFormBookBrowse
                                            • www.apatitum.ru/ae30/?e6APen=-ZbLVVvxbh&hRMt=FPMBMGCVaW18mWp9psYxs8vphsoSX/Rva1ei2SkJWEFtkxICrZ+/bmE6D+QZZ+YInswR
                                            Quotation-pdf-.exeGet hashmaliciousFormBookBrowse
                                            • www.apatitum.ru/ae30/?1bx8kD=FPMBMGCVaW18mWp9psYxs8vphsoSX/Rva1ei2SkJWEFtkxICrZ+/bmE6D+QzGOoIju4R&a6Ah=W2MtW6H0b
                                            MT103.exeGet hashmaliciousFormBookBrowse
                                            • www.artesianus.ru/ws6g/?SHJtdHBX=/ITleYemMY8jUuL4/5pyYD+uQ18tzPnmQtMZ/RzrYSSVzGowpodikAYSFjornnVy8zhJMiIsyw==&7n_LfJ=A6AlZjY8wd
                                            CDF77C2AF71C09E830990C14E72B624223094EE4C10B6.exeGet hashmaliciousAzorultBrowse
                                            • antrakt.site/index.php
                                            wnRWWNwExD.exeGet hashmaliciousFormBook GuLoaderBrowse
                                            • www.argentum.website/hicp/?9r=AxYmfo1FoPvCF3rPl73DFv46RurIdQHTC7y26xSyr+5fjodeez2htuenW0R/n5GSHfPj&yxl=tJBDz4A
                                            204.95.99.243IST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                              qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                n.zhgcuntif.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.zhjdwkpaz.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.spgpemwqk.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.ezjhyxxbf.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.kvupdstwh.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.lotys.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 194.58.112.165
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 63.251.106.25
                                                n.yxntnyrap.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.jupoofsnc.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243
                                                n.aoyylwyxd.ruIST5Fk44k3.exeGet hashmaliciousDarkbot, GhostRatBrowse
                                                • 204.95.99.243
                                                qLi9sAxeSm.exeGet hashmaliciousDarkbotBrowse
                                                • 204.95.99.243

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                MICROSOFT-CORP-MSN-AS-BLOCKUShttp://flydedxmmddhgt3vfhv6om63ra2u2x4jxginulhxb6nzcnj3wwgavwyd.onion/Get hashmaliciousUnknownBrowse
                                                • 13.74.129.1
                                                LisectAVT_2403002C_123.exeGet hashmaliciousBdaejec, DarkbotBrowse
                                                • 13.107.246.40
                                                Scan copy.xlsGet hashmaliciousUnknownBrowse
                                                • 13.107.246.60
                                                Order_490104.xlsGet hashmaliciousUnknownBrowse
                                                • 13.107.246.42
                                                Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 13.107.137.11
                                                CWS610973I4SC2024.exeGet hashmaliciousDBatLoaderBrowse
                                                • 13.107.137.11
                                                LisectAVT_2403002C_142.exeGet hashmaliciousNjratBrowse
                                                • 13.107.253.42
                                                CWS610973I4SC2024.exeGet hashmaliciousDBatLoaderBrowse
                                                • 13.107.137.11
                                                LisectAVT_2403002C_181.exeGet hashmaliciousRevengeBrowse
                                                • 13.107.246.60
                                                LisectAVT_2403002C_44.exeGet hashmaliciousEICARBrowse
                                                • 13.89.179.12
                                                SPD-NETTR611479C78035C912DD69E3CFDADBF74649BB1FCE6241B7573CFB0C7A2FC2FB2F.exeGet hashmaliciousBdaejec, PrivateLoaderBrowse
                                                • 212.193.30.29
                                                wO2hW34tnC.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                • 45.158.226.175
                                                pVwXSHLriO.elfGet hashmaliciousMirai, MoobotBrowse
                                                • 45.67.86.157
                                                na.elfGet hashmaliciousMiraiBrowse
                                                • 185.118.141.106
                                                nigga.shGet hashmaliciousMiraiBrowse
                                                • 45.12.96.123
                                                rc2G4fAIY4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 45.81.142.31
                                                QzNtWxCnZh.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 45.81.142.31
                                                dqVusfiLPV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 45.81.142.31
                                                SecuriteInfo.com.Linux.Siggen.9999.6736.22177.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                • 45.81.142.31
                                                SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exeGet hashmaliciousAgentTesla, RHADAMANTHYSBrowse
                                                • 212.193.30.32
                                                AS-REGRULisectAVT_2403002A_117.exeGet hashmaliciousRedLineBrowse
                                                • 194.87.107.145
                                                IIMG_00172424.exeGet hashmaliciousFormBookBrowse
                                                • 37.140.192.90
                                                SecuriteInfo.com.Trojan.PackedNET.2966.14355.23143.exeGet hashmaliciousFormBookBrowse
                                                • 37.140.192.90
                                                desDGzeznq.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                • 194.87.181.56
                                                Shipping Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 37.140.192.90
                                                New Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 194.58.112.174
                                                Shipping Documents 7896424100.exeGet hashmaliciousFormBookBrowse
                                                • 194.58.112.174
                                                SecuriteInfo.com.TrojanLoader.MSIL.DaVinci.Heur.16736.4797.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                • 37.140.192.90
                                                BL.exeGet hashmaliciousFormBookBrowse
                                                • 194.58.112.174
                                                payment advice.exeGet hashmaliciousFormBookBrowse
                                                • 194.58.112.174

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\c731200

                                                Download File
                                                Process:C:\Windows\SysWOW64\calc.exe
                                                File Type:777 archive data
                                                Category:modified
                                                Size (bytes):9
                                                Entropy (8bit):2.6416041678685933
                                                Encrypted:false
                                                SSDEEP:3:hcWn:qW
                                                MD5:88FD754E88E6656581F8B373CA571BAB
                                                SHA1:80C8AA79903F5E0F8DFF2944F2CF069C57335A82
                                                SHA-256:54DDFE63E15B2A40E3E46C4B990F64FDA2CCCAF4A45716411AE2D3C5E73293D6
                                                SHA-512:A8A325A6B5C5CE3CE371B710ED550509F3A384FC9A7179317ABCC607FFB2DBF43B0613E619740EF4262BE904871F77265CD54BD104E4F96F1AE219977317E1C8
                                                Malicious:false
                                                Preview:777206348

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\mspaint.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):180196
                                                Entropy (8bit):7.548615799587552
                                                Encrypted:false
                                                SSDEEP:3072:iI4Ce6Zay3ltKJHgyajApErcmhGuGHEIAsn2wSM5fJ8729RhNo:izyjTjAk+uUoO5fq29p
                                                MD5:E57E7EF9D1A8B3196C522D45710ED22B
                                                SHA1:41E8E57E9381805B9375CA8D0A44CEF5C693F566
                                                SHA-256:B737D71E4A2974FE20E65BBACBAD9BFCB5709D4016A3E4F0F88BD9C8134FCAD5
                                                SHA-512:03D161CC84D04FF66CB9AA891AEDD7F2F5A0FED9DF5887B1DF33C9251BF3599676D7B7D1AF257F074210C19C0A686229D1AC8FF0DA571B5AF660E78916E9A7DE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                Preview:MZ......................@............3~\................................!..L.!This program cannot be run in DOS mode....$........n............J......]_....]I.....wY.......0...]N....]^....][....Rich....................PE..L...hApT............................#0............@..................................................................................p..................................................................@............................................text............................... ..`.rdata...+.......,..................@..@.data....K... ... ..................@....rsrc........p......0..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Windows\SysWOW64\mspaint.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\Update\Explorer.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):180196
                                                Entropy (8bit):7.548615799587552
                                                Encrypted:false
                                                SSDEEP:3072:iI4Ce6Zay3ltKJHgyajApErcmhGuGHEIAsn2wSM5fJ8729RhNo:izyjTjAk+uUoO5fq29p
                                                MD5:E57E7EF9D1A8B3196C522D45710ED22B
                                                SHA1:41E8E57E9381805B9375CA8D0A44CEF5C693F566
                                                SHA-256:B737D71E4A2974FE20E65BBACBAD9BFCB5709D4016A3E4F0F88BD9C8134FCAD5
                                                SHA-512:03D161CC84D04FF66CB9AA891AEDD7F2F5A0FED9DF5887B1DF33C9251BF3599676D7B7D1AF257F074210C19C0A686229D1AC8FF0DA571B5AF660E78916E9A7DE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                Preview:MZ......................@............3~\................................!..L.!This program cannot be run in DOS mode....$........n............J......]_....]I.....wY.......0...]N....]^....][....Rich....................PE..L...hApT............................#0............@..................................................................................p..................................................................@............................................text............................... ..`.rdata...+.......,..................@..@.data....K... ... ..................@....rsrc........p......0..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\Update\Explorer.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Windows\SysWOW64\svchost.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\c731200

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002C_106.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):180196
                                                Entropy (8bit):7.548615799587552
                                                Encrypted:false
                                                SSDEEP:3072:iI4Ce6Zay3ltKJHgyajApErcmhGuGHEIAsn2wSM5fJ8729RhNo:izyjTjAk+uUoO5fq29p
                                                MD5:E57E7EF9D1A8B3196C522D45710ED22B
                                                SHA1:41E8E57E9381805B9375CA8D0A44CEF5C693F566
                                                SHA-256:B737D71E4A2974FE20E65BBACBAD9BFCB5709D4016A3E4F0F88BD9C8134FCAD5
                                                SHA-512:03D161CC84D04FF66CB9AA891AEDD7F2F5A0FED9DF5887B1DF33C9251BF3599676D7B7D1AF257F074210C19C0A686229D1AC8FF0DA571B5AF660E78916E9A7DE
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Avira, Detection: 100%
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                Preview:MZ......................@............3~\................................!..L.!This program cannot be run in DOS mode....$........n............J......]_....]I.....wY.......0...]N....]^....][....Rich....................PE..L...hApT............................#0............@..................................................................................p..................................................................@............................................text............................... ..`.rdata...+.......,..................@..@.data....K... ... ..................@....rsrc........p......0..............@...........................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\c731200:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\LisectAVT_2403002C_106.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.548615799587552
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:LisectAVT_2403002C_106.exe
                                                File size:180'196 bytes
                                                MD5:e57e7ef9d1a8b3196c522d45710ed22b
                                                SHA1:41e8e57e9381805b9375ca8d0a44cef5c693f566
                                                SHA256:b737d71e4a2974fe20e65bbacbad9bfcb5709d4016a3e4f0f88bd9c8134fcad5
                                                SHA512:03d161cc84d04ff66cb9aa891aedd7f2f5a0fed9df5887b1df33c9251bf3599676d7b7d1af257f074210c19c0a686229d1ac8ff0da571b5af660e78916e9a7de
                                                SSDEEP:3072:iI4Ce6Zay3ltKJHgyajApErcmhGuGHEIAsn2wSM5fJ8729RhNo:izyjTjAk+uUoO5fq29p
                                                TLSH:B104E112F940D073D04715746526C2B09A7AE8311AB9D483BB995BBF9F317C0EB3B38A
                                                File Content Preview:MZ......................@............3~\................................!..L.!This program cannot be run in DOS mode....$........n..............J........]_......]I......wY.........0....]N......]^......][.....Rich....................PE..L...hApT...........

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x403023
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x54704168 [Sat Nov 22 07:55:20 2014 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:5
                                                OS Version Minor:0
                                                File Version Major:5
                                                File Version Minor:0
                                                Subsystem Version Major:5
                                                Subsystem Version Minor:0
                                                Import Hash:4d6a6a9dad013c5d14121b939cdf9bb2

                                                Entrypoint Preview

                                                Instruction
                                                call 00007F627C4F3BF9h
                                                jmp 00007F627C4ED13Dh
                                                push 0000000Ch
                                                push 00410798h
                                                call 00007F627C4EF964h
                                                xor edi, edi
                                                mov dword ptr [ebp-1Ch], edi
                                                xor eax, eax
                                                mov esi, dword ptr [ebp+0Ch]
                                                cmp esi, edi
                                                setne al
                                                cmp eax, edi
                                                jne 00007F627C4ED2E2h
                                                call 00007F627C4EE933h
                                                mov dword ptr [eax], 00000016h
                                                push edi
                                                push edi
                                                push edi
                                                push edi
                                                push edi
                                                call 00007F627C4F01EAh
                                                add esp, 14h
                                                or eax, FFFFFFFFh
                                                jmp 00007F627C4ED381h
                                                push esi
                                                call 00007F627C4ED463h
                                                pop ecx
                                                mov dword ptr [ebp-04h], edi
                                                test byte ptr [esi+0Ch], 00000040h
                                                jne 00007F627C4ED339h
                                                push esi
                                                call 00007F627C4F3D99h
                                                pop ecx
                                                cmp eax, FFFFFFFFh
                                                je 00007F627C4ED2DDh
                                                cmp eax, FFFFFFFEh
                                                je 00007F627C4ED2D8h
                                                mov edx, eax
                                                sar edx, 05h
                                                mov ecx, eax
                                                and ecx, 1Fh
                                                shl ecx, 06h
                                                add ecx, dword ptr [00415A40h+edx*4]
                                                jmp 00007F627C4ED2C7h
                                                mov ecx, 00413C30h
                                                test byte ptr [ecx+24h], 0000007Fh
                                                jne 00007F627C4ED2EBh
                                                cmp eax, FFFFFFFFh
                                                je 00007F627C4ED2DBh
                                                cmp eax, FFFFFFFEh
                                                je 00007F627C4ED2D6h
                                                mov ecx, eax
                                                sar ecx, 05h
                                                and eax, 1Fh
                                                shl eax, 06h
                                                add eax, dword ptr [00415A40h+ecx*4]
                                                jmp 00007F627C4ED2C7h
                                                mov eax, 00413C30h
                                                test byte ptr [eax+24h], FFFFFF80h
                                                je 00007F627C4ED2DEh
                                                call 00007F627C4EE8A8h
                                                mov dword ptr [eax], 00000016h
                                                push edi
                                                push edi
                                                push edi
                                                push edi
                                                push edi
                                                call 00007F627C4F015Fh

                                                Rich Headers

                                                Programming Language:
                                                • [ASM] VS2008 build 21022
                                                • [ C ] VS2008 build 21022
                                                • [IMP] VS2008 SP1 build 30729
                                                • [C++] VS2008 build 21022
                                                • [RES] VS2008 build 21022
                                                • [LNK] VS2008 build 21022

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x10b8c0xb4.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x1de00
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x106a00x40.rdata
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0xf0000x2dc.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000xde110xe00051fc1123eb72320f9e33d9b5d1611c72False0.5932965959821429data6.5654900908018465IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0xf0000x2bba0x2c0012b11a66d31192127af488fa0f083c2fFalse0.3830788352272727data5.6206577202277455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x120000x4b880x200038dacb44b1e877b8f3f4a13393e1beeeFalse0.532470703125data5.188988543719799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x170000x190000x18de45412ced9ce0904cb1513e858e931af55False0.9798645199293148data7.977818984184578IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                JPEG0x1728c0x18321PNG image data, 574 x 348, 8-bit/color RGB, non-interlacedRaeto-RomanceSwitzerland0.9939155441198728
                                                TEXTINCLUDE0x2f5b00xbASCII text, with no line terminatorsRaeto-RomanceSwitzerland1.7272727272727273
                                                TEXTINCLUDE0x2f5bc0x16dataRaeto-RomanceSwitzerland1.3636363636363635
                                                TEXTINCLUDE0x2f5d40x1cbC source, ASCII text, with CRLF line terminatorsRaeto-RomanceSwitzerland0.5925925925925926
                                                RT_BITMAP0x2f7a00x2cDevice independent bitmap graphic, 1 x 1 x 24, image size 40.5909090909090909
                                                RT_BITMAP0x2f7cc0xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                RT_BITMAP0x2f8840x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                RT_STRING0x2f9c80x94dataRaeto-RomanceSwitzerland0.668918918918919
                                                RT_STRING0x2fa5c0x34dataRaeto-RomanceSwitzerland0.6538461538461539
                                                RT_VERSION0x2fa900x354dataRaeto-RomanceSwitzerland0.4612676056338028

                                                Imports

                                                DLLImport
                                                USER32.dllGetDC, EnableWindow, InvalidateRect, LoadImageA, SetWindowLongA, GetDlgItem, IsWindow, ExitWindowsEx, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, LoadBitmapA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, ShowWindow, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard
                                                SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetMalloc, SHGetSpecialFolderLocation
                                                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                OPENGL32.dllwglUseFontOutlinesW, glPushMatrix, glColor4fv, wglGetLayerPaletteEntries, glTexCoord3dv, glColor3bv, glLineStipple, glTexParameteriv
                                                dbghelp.dllSymLoadModule, SymGetSymNext, SymEnumerateSymbolsW64, SymGetLineFromAddr64, SymEnumerateModules64, SymGetTypeFromName
                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
                                                KERNEL32.dllCloseHandle, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, ReadFile, HeapSize, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetFilePointer, LoadLibraryA, RtlUnwind, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, GetCurrentProcessId, GetTickCount, QueryPerformanceCounter, GetFileType, SetHandleCount, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetTimeZoneInformation, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetModuleFileNameA, GetStdHandle, WriteFile, ExitProcess, CompareStringA, HeapCreate, HeapReAlloc, VirtualAlloc, VirtualFree, HeapFree, DeleteCriticalSection, LCMapStringW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, GetLastError, GetCurrentThreadId, SetLastError, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, GetProcAddress, GetModuleHandleW, IsValidCodePage, GetOEMCP, GetACP, InterlockedDecrement, InterlockedIncrement, GetCPInfo, LeaveCriticalSection, EnterCriticalSection, GetStartupInfoA, GetCommandLineA, GetSystemTimeAsFileTime, GetDateFormatA, GetTimeFormatA, HeapAlloc, GetBinaryTypeA, GlobalMemoryStatusEx, FindAtomW, DefineDosDeviceW, WritePrivateProfileSectionA, WaitForDebugEvent, WriteFileEx, CompareStringW, SetEnvironmentVariableA, CreateFileA, Sleep

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                Raeto-RomanceSwitzerland
                                                EnglishUnited States

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                2024-07-25T10:59:51.834750+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497073720192.168.2.7195.133.45.237
                                                2024-07-25T11:00:21.578303+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497173720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:58.802084+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53576761.1.1.1192.168.2.7
                                                2024-07-25T11:00:03.140695+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497143720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:59.937577+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497123720192.168.2.7204.95.99.243
                                                2024-07-25T10:58:22.973383+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970040.68.123.157192.168.2.7
                                                2024-07-25T11:00:01.156800+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497133720192.168.2.7204.95.99.243
                                                2024-07-25T11:00:03.807830+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53512371.1.1.1192.168.2.7
                                                2024-07-25T10:59:03.392608+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970440.68.123.157192.168.2.7
                                                2024-07-25T11:00:06.672127+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497163720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:30.161697+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497063720192.168.2.7194.58.112.165
                                                2024-07-25T10:59:54.160371+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53620271.1.1.1192.168.2.7
                                                2024-07-25T10:59:57.609448+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497113720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:56.328534+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497103720192.168.2.7204.95.99.243
                                                2024-07-25T11:00:00.062961+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53570861.1.1.1192.168.2.7
                                                2024-07-25T11:00:06.965977+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53617921.1.1.1192.168.2.7
                                                2024-07-25T11:00:01.900294+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53554731.1.1.1192.168.2.7
                                                2024-07-25T10:59:55.187570+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497093720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:56.600156+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53655341.1.1.1192.168.2.7
                                                2024-07-25T10:59:55.318169+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53562561.1.1.1192.168.2.7
                                                2024-07-25T11:00:05.598863+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53648751.1.1.1192.168.2.7
                                                2024-07-25T11:00:04.950924+0200TCP2802897ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Checkin497153720192.168.2.7204.95.99.243
                                                2024-07-25T10:57:56.374479+0200TCP2802950ETPRO MALWARE Win32/IRCBrute/Floder.ej/TKcik.A Pass Checkin497143720192.168.2.7204.95.99.243
                                                2024-07-25T10:59:52.409452+0200UDP2018642ET MALWARE DNS Reply Sinkhole Microsoft NO-IP Domain53514721.1.1.1192.168.2.7

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 10:59:29.141082048 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:29.146645069 CEST372049706194.58.112.165192.168.2.7
                                                Jul 25, 2024 10:59:29.146857977 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:30.156502962 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:30.161613941 CEST372049706194.58.112.165192.168.2.7
                                                Jul 25, 2024 10:59:30.161696911 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:30.167237043 CEST372049706194.58.112.165192.168.2.7
                                                Jul 25, 2024 10:59:50.532365084 CEST372049706194.58.112.165192.168.2.7
                                                Jul 25, 2024 10:59:50.532466888 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:50.534472942 CEST497063720192.168.2.7194.58.112.165
                                                Jul 25, 2024 10:59:50.541309118 CEST372049706194.58.112.165192.168.2.7
                                                Jul 25, 2024 10:59:50.816703081 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:50.821580887 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:50.821681976 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:51.828282118 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:51.834568024 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:51.834749937 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:51.840646982 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:52.046266079 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:52.046351910 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:52.046441078 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:52.050584078 CEST497073720192.168.2.7195.133.45.237
                                                Jul 25, 2024 10:59:52.056092978 CEST372049707195.133.45.237192.168.2.7
                                                Jul 25, 2024 10:59:52.412472010 CEST497083720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:52.418145895 CEST372049708204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:52.418668032 CEST497083720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:53.043324947 CEST372049708204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:53.043540001 CEST497083720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:53.457293987 CEST497083720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:53.463207960 CEST372049708204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:54.178838015 CEST497093720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:54.183715105 CEST372049709204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:54.188043118 CEST497093720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:54.722731113 CEST372049709204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:54.722805023 CEST497093720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:55.187488079 CEST497093720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:55.187570095 CEST497093720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:55.192588091 CEST372049709204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:55.192606926 CEST372049709204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:55.318933964 CEST497103720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:55.323823929 CEST372049710204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:55.323925972 CEST497103720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:55.854397058 CEST372049710204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:55.854542017 CEST497103720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:56.328125954 CEST497103720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:56.328533888 CEST497103720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:56.333019972 CEST372049710204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:56.333906889 CEST372049710204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:56.601578951 CEST497113720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:56.606472015 CEST372049711204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:56.606760979 CEST497113720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:57.188198090 CEST372049711204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:57.188333988 CEST497113720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:57.609385967 CEST497113720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:57.609447956 CEST497113720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:57.615353107 CEST372049711204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:57.615372896 CEST372049711204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:58.928776026 CEST497123720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:58.933741093 CEST372049712204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:58.933832884 CEST497123720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:59.444885969 CEST372049712204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:59.445050955 CEST497123720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:59.937491894 CEST497123720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:59.937577009 CEST497123720192.168.2.7204.95.99.243
                                                Jul 25, 2024 10:59:59.942745924 CEST372049712204.95.99.243192.168.2.7
                                                Jul 25, 2024 10:59:59.942754984 CEST372049712204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:00.094837904 CEST497133720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:00.100092888 CEST372049713204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:00.100234032 CEST497133720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:00.635046005 CEST372049713204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:00.635135889 CEST497133720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:01.156714916 CEST497133720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:01.156800032 CEST497133720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:01.161915064 CEST372049713204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:01.161932945 CEST372049713204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:02.125749111 CEST497143720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:02.131669998 CEST372049714204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:02.131809950 CEST497143720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:02.676409960 CEST372049714204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:02.676475048 CEST497143720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:03.140630007 CEST497143720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:03.140695095 CEST497143720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:03.145776987 CEST372049714204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:03.145803928 CEST372049714204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:03.922343016 CEST497153720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:03.927495956 CEST372049715204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:03.927594900 CEST497153720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:04.463450909 CEST372049715204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:04.463532925 CEST497153720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:04.950861931 CEST497153720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:04.950923920 CEST497153720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:04.956064939 CEST372049715204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:04.956087112 CEST372049715204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:05.663748980 CEST497163720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:05.668755054 CEST372049716204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:05.668888092 CEST497163720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:06.208233118 CEST372049716204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:06.208352089 CEST497163720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:06.672043085 CEST497163720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:06.672127008 CEST497163720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:06.677014112 CEST372049716204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:06.677036047 CEST372049716204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:06.967745066 CEST497173720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:06.972860098 CEST372049717204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:06.972984076 CEST497173720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:07.512286901 CEST372049717204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:07.512491941 CEST497173720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:21.578254938 CEST497173720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:21.578303099 CEST497173720192.168.2.7204.95.99.243
                                                Jul 25, 2024 11:00:21.584507942 CEST372049717204.95.99.243192.168.2.7
                                                Jul 25, 2024 11:00:21.584773064 CEST372049717204.95.99.243192.168.2.7

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 25, 2024 10:59:26.876422882 CEST5412353192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:27.049040079 CEST53541231.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:29.095992088 CEST5415553192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:29.140310049 CEST53541551.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:50.641465902 CEST5599053192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:50.816118956 CEST53559901.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:52.156889915 CEST5746453192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:52.206886053 CEST53574641.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:52.317950964 CEST5147253192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:52.409451962 CEST53514721.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:53.696647882 CEST5001253192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:53.745161057 CEST53500121.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:54.047714949 CEST6202753192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:54.160371065 CEST53620271.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:55.301358938 CEST5625653192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:55.318169117 CEST53562561.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:56.456394911 CEST6553453192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:56.600156069 CEST53655341.1.1.1192.168.2.7
                                                Jul 25, 2024 10:59:58.508126974 CEST5767653192.168.2.71.1.1.1
                                                Jul 25, 2024 10:59:58.802083969 CEST53576761.1.1.1192.168.2.7
                                                Jul 25, 2024 11:00:00.052504063 CEST5708653192.168.2.71.1.1.1
                                                Jul 25, 2024 11:00:00.062961102 CEST53570861.1.1.1192.168.2.7
                                                Jul 25, 2024 11:00:01.746675014 CEST5547353192.168.2.71.1.1.1
                                                Jul 25, 2024 11:00:01.900294065 CEST53554731.1.1.1192.168.2.7
                                                Jul 25, 2024 11:00:03.672374964 CEST5123753192.168.2.71.1.1.1
                                                Jul 25, 2024 11:00:03.807830095 CEST53512371.1.1.1192.168.2.7
                                                Jul 25, 2024 11:00:05.355850935 CEST6487553192.168.2.71.1.1.1
                                                Jul 25, 2024 11:00:05.598862886 CEST53648751.1.1.1192.168.2.7
                                                Jul 25, 2024 11:00:06.819740057 CEST6179253192.168.2.71.1.1.1
                                                Jul 25, 2024 11:00:06.965976954 CEST53617921.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jul 25, 2024 10:59:26.876422882 CEST192.168.2.71.1.1.10x6123Standard query (0)api.wipmania.comA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:29.095992088 CEST192.168.2.71.1.1.10xf095Standard query (0)n.lotys.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:50.641465902 CEST192.168.2.71.1.1.10xb2beStandard query (0)n.jntbxduhz.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:52.156889915 CEST192.168.2.71.1.1.10xdcaStandard query (0)n.hmiblgoja.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:52.317950964 CEST192.168.2.71.1.1.10x2e07Standard query (0)n.ezjhyxxbf.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:53.696647882 CEST192.168.2.71.1.1.10xbb27Standard query (0)n.yqqufklho.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:54.047714949 CEST192.168.2.71.1.1.10x104dStandard query (0)n.vbemnggcj.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:55.301358938 CEST192.168.2.71.1.1.10xf4dStandard query (0)n.yxntnyrap.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:56.456394911 CEST192.168.2.71.1.1.10xf5c4Standard query (0)n.oceardpku.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:58.508126974 CEST192.168.2.71.1.1.10xf55bStandard query (0)n.zhgcuntif.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:00.052504063 CEST192.168.2.71.1.1.10x4690Standard query (0)n.jupoofsnc.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:01.746675014 CEST192.168.2.71.1.1.10x2e3eStandard query (0)n.aoyylwyxd.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:03.672374964 CEST192.168.2.71.1.1.10xb5d0Standard query (0)n.kvupdstwh.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:05.355850935 CEST192.168.2.71.1.1.10x8880Standard query (0)n.spgpemwqk.ruA (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:06.819740057 CEST192.168.2.71.1.1.10x22dfStandard query (0)n.zhjdwkpaz.ruA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jul 25, 2024 10:59:27.049040079 CEST1.1.1.1192.168.2.70x6123No error (0)api.wipmania.com127.0.0.1A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:29.140310049 CEST1.1.1.1192.168.2.70xf095No error (0)n.lotys.ru194.58.112.165A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:50.816118956 CEST1.1.1.1192.168.2.70xb2beNo error (0)n.jntbxduhz.ru195.133.45.237A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:52.206886053 CEST1.1.1.1192.168.2.70xdcaName error (3)n.hmiblgoja.runonenoneA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:52.409451962 CEST1.1.1.1192.168.2.70x2e07No error (0)n.ezjhyxxbf.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:53.745161057 CEST1.1.1.1192.168.2.70xbb27Name error (3)n.yqqufklho.runonenoneA (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:54.160371065 CEST1.1.1.1192.168.2.70x104dNo error (0)n.vbemnggcj.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:55.318169117 CEST1.1.1.1192.168.2.70xf4dNo error (0)n.yxntnyrap.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:56.600156069 CEST1.1.1.1192.168.2.70xf5c4No error (0)n.oceardpku.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 10:59:58.802083969 CEST1.1.1.1192.168.2.70xf55bNo error (0)n.zhgcuntif.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:00.062961102 CEST1.1.1.1192.168.2.70x4690No error (0)n.jupoofsnc.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:01.900294065 CEST1.1.1.1192.168.2.70x2e3eNo error (0)n.aoyylwyxd.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:03.807830095 CEST1.1.1.1192.168.2.70xb5d0No error (0)n.kvupdstwh.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:05.598862886 CEST1.1.1.1192.168.2.70x8880No error (0)n.spgpemwqk.ru204.95.99.243A (IP address)IN (0x0001)false
                                                Jul 25, 2024 11:00:06.965976954 CEST1.1.1.1192.168.2.70x22dfNo error (0)n.zhjdwkpaz.ru204.95.99.243A (IP address)IN (0x0001)false

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.749707195.133.45.23737202060C:\Windows\SysWOW64\mspaint.exe
                                                TimestampBytes transferredDirectionData
                                                Jul 25, 2024 10:59:52.046266079 CEST309INHTTP/1.1 400 Bad Request
                                                Server: nginx/1.23.0
                                                Date: Thu, 25 Jul 2024 08:59:51 GMT
                                                Content-Type: text/html
                                                Content-Length: 157
                                                Connection: close
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 33 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.23.0</center></body></html>


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:04:57:59
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002C_106.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
                                                Imagebase:0x400000
                                                File size:180'196 bytes
                                                MD5 hash:E57E7EF9D1A8B3196C522D45710ED22B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:06:39:08
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002C_106.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
                                                Imagebase:0x400000
                                                File size:180'196 bytes
                                                MD5 hash:E57E7EF9D1A8B3196C522D45710ED22B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:06:39:08
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\svchost.exe"
                                                Imagebase:0xad0000
                                                File size:46'504 bytes
                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:17
                                                Start time:06:39:08
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\calc.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\calc.exe"
                                                Imagebase:0x740000
                                                File size:26'112 bytes
                                                MD5 hash:961E093BE1F666FD38602AD90A5F480F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:18
                                                Start time:06:39:08
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\mspaint.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\SysWOW64\mspaint.exe"
                                                Imagebase:0x400000
                                                File size:743'424 bytes
                                                MD5 hash:986A191E95952C9E3FE6BE112FB92026
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:false

                                                General

                                                Target ID:19
                                                Start time:06:39:08
                                                Start date:25/07/2024
                                                Path:C:\Users\user\Desktop\LisectAVT_2403002C_106.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002C_106.exe"
                                                Imagebase:0x400000
                                                File size:180'196 bytes
                                                MD5 hash:E57E7EF9D1A8B3196C522D45710ED22B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:06:39:15
                                                Start date:25/07/2024
                                                Path:C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x4b0000
                                                File size:418'304 bytes
                                                MD5 hash:64ACA4F48771A5BA50CD50F2410632AD
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:22
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:23
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:24
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:25
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:26
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:false

                                                General

                                                Target ID:27
                                                Start time:06:39:16
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:28
                                                Start time:06:39:17
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:29
                                                Start time:06:39:17
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:30
                                                Start time:06:39:17
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:31
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:32
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:33
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:34
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:35
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:36
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:37
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:38
                                                Start time:06:39:18
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:39
                                                Start time:06:39:19
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                General

                                                Target ID:40
                                                Start time:06:39:19
                                                Start date:25/07/2024
                                                Path:C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\NwxSVcTqESJKDgPFPKZIvqzQkzHSWgYDImihQIoYBXkkGIpSKkwkczfuqpsFbDfIfQX\bWgyuzlQlr.exe"
                                                Imagebase:0x280000
                                                File size:140'800 bytes
                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Has exited:false

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:9.8%
                                                  Dynamic/Decrypted Code Coverage:1.2%
                                                  Signature Coverage:9.7%
                                                  Total number of Nodes:1702
                                                  Total number of Limit Nodes:17
                                                  execution_graph 7170 450000 GetPEB 7171 450067 GetPEB 7170->7171 7173 450685 CreateToolhelp32Snapshot 7171->7173 7175 450c47 Process32First 7173->7175 7176 450c3d 7173->7176 7177 450c9f FindCloseChangeNotification CreateToolhelp32Snapshot 7175->7177 7178 450c59 Process32Next 7175->7178 7176->7175 7180 450cb4 7177->7180 7181 450cbe Process32First 7177->7181 7178->7177 7180->7181 7182 450d16 FindCloseChangeNotification 7181->7182 7183 450cd0 7181->7183 7184 450d2c 7182->7184 7183->7182 7186 450e99 7184->7186 7187 450ebb 7186->7187 7187->7187 7188 450ef4 VirtualAlloc 7187->7188 7190 450f23 7188->7190 7189 45128e 7189->7184 7190->7189 7191 451188 CreateProcessA NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory 7190->7191 7192 451226 Wow64GetThreadContext WriteProcessMemory Wow64SetThreadContext ResumeThread ExitProcess 7191->7192 7193 4511db 7191->7193 7194 4511de WriteProcessMemory 7193->7194 7194->7192 7194->7194 7195 402ea5 7234 4056d8 7195->7234 7197 402eb1 GetStartupInfoA 7200 402ed4 7197->7200 7235 4058cc HeapCreate 7200->7235 7201 402f24 7237 404106 GetModuleHandleW 7201->7237 7205 402f35 __RTC_Initialize 7271 4096bc 7205->7271 7206 402e7c _fast_error_exit 67 API calls 7206->7205 7208 402f43 7209 402f4f GetCommandLineA 7208->7209 7390 40592c 7208->7390 7286 409585 7209->7286 7216 40592c __amsg_exit 67 API calls 7218 402f74 7216->7218 7322 409252 7218->7322 7220 402f85 7337 4059eb 7220->7337 7221 40592c __amsg_exit 67 API calls 7221->7220 7223 402f8c 7224 402f97 7223->7224 7225 40592c __amsg_exit 67 API calls 7223->7225 7343 4091f3 7224->7343 7225->7224 7230 402fc6 7400 405bc8 7230->7400 7233 402fcb __commit 7234->7197 7236 402f18 7235->7236 7236->7201 7382 402e7c 7236->7382 7238 404121 7237->7238 7239 40411a 7237->7239 7241 404289 7238->7241 7242 40412b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 7238->7242 7403 4058fc 7239->7403 7462 403e20 7241->7462 7244 404174 TlsAlloc 7242->7244 7247 402f2a 7244->7247 7248 4041c2 TlsSetValue 7244->7248 7247->7205 7247->7206 7248->7247 7249 4041d3 7248->7249 7407 405be6 7249->7407 7254 403cf6 __encode_pointer 6 API calls 7255 4041f3 7254->7255 7256 403cf6 __encode_pointer 6 API calls 7255->7256 7257 404203 7256->7257 7258 403cf6 __encode_pointer 6 API calls 7257->7258 7259 404213 7258->7259 7424 404a65 7259->7424 7266 403d71 __decode_pointer 6 API calls 7267 404267 7266->7267 7267->7241 7268 40426e 7267->7268 7444 403e5d 7268->7444 7270 404276 GetCurrentThreadId 7270->7247 7796 4056d8 7271->7796 7273 4096c8 GetStartupInfoA 7274 407e7c __calloc_crt 67 API calls 7273->7274 7281 4096e9 7274->7281 7275 409907 __commit 7275->7208 7276 40984e 7276->7275 7277 409884 GetStdHandle 7276->7277 7278 4098e9 SetHandleCount 7276->7278 7280 409896 GetFileType 7276->7280 7283 40a734 ___lock_fhandle InitializeCriticalSectionAndSpinCount 7276->7283 7277->7276 7278->7275 7279 407e7c __calloc_crt 67 API calls 7279->7281 7280->7276 7281->7275 7281->7276 7281->7279 7285 4097d1 7281->7285 7282 4097fa GetFileType 7282->7285 7283->7276 7284 40a734 ___lock_fhandle InitializeCriticalSectionAndSpinCount 7284->7285 7285->7275 7285->7276 7285->7282 7285->7284 7287 4095c2 7286->7287 7288 4095a3 GetEnvironmentStringsW 7286->7288 7290 4095ab 7287->7290 7291 40965b 7287->7291 7289 4095b7 GetLastError 7288->7289 7288->7290 7289->7287 7292 4095ed WideCharToMultiByte 7290->7292 7293 4095de GetEnvironmentStringsW 7290->7293 7294 409664 GetEnvironmentStrings 7291->7294 7298 402f5f 7291->7298 7296 409650 FreeEnvironmentStringsW 7292->7296 7297 409621 7292->7297 7293->7292 7293->7298 7294->7298 7299 409674 7294->7299 7296->7298 7301 407e37 __malloc_crt 67 API calls 7297->7301 7311 4094ca 7298->7311 7300 407e37 __malloc_crt 67 API calls 7299->7300 7302 40968e 7300->7302 7303 409627 7301->7303 7304 4096a1 ___crtGetEnvironmentStringsA 7302->7304 7305 409695 FreeEnvironmentStringsA 7302->7305 7303->7296 7306 40962f WideCharToMultiByte 7303->7306 7309 4096ab FreeEnvironmentStringsA 7304->7309 7305->7298 7307 409641 7306->7307 7308 409649 7306->7308 7310 407d41 __freea 67 API calls 7307->7310 7308->7296 7309->7298 7310->7308 7312 4094e4 GetModuleFileNameA 7311->7312 7313 4094df 7311->7313 7315 40950b 7312->7315 7803 4039b3 7313->7803 7797 409330 7315->7797 7317 402f69 7317->7216 7317->7218 7319 407e37 __malloc_crt 67 API calls 7320 40954d 7319->7320 7320->7317 7321 409330 _parse_cmdline 77 API calls 7320->7321 7321->7317 7323 40925b 7322->7323 7326 409260 _strlen 7322->7326 7324 4039b3 ___initmbctable 111 API calls 7323->7324 7324->7326 7325 402f7a 7325->7220 7325->7221 7326->7325 7327 407e7c __calloc_crt 67 API calls 7326->7327 7329 409295 _strlen 7327->7329 7328 4092f3 7330 407d41 __freea 67 API calls 7328->7330 7329->7325 7329->7328 7331 407e7c __calloc_crt 67 API calls 7329->7331 7332 409319 7329->7332 7333 407dcf _strcpy_s 67 API calls 7329->7333 7335 4092da 7329->7335 7330->7325 7331->7329 7334 407d41 __freea 67 API calls 7332->7334 7333->7329 7334->7325 7335->7329 7336 405e5e __invoke_watson 10 API calls 7335->7336 7336->7335 7338 4059f9 __IsNonwritableInCurrentImage 7337->7338 8214 40aeeb 7338->8214 7340 405a17 __initterm_e 7342 405a36 __IsNonwritableInCurrentImage __initterm 7340->7342 8218 40aed4 7340->8218 7342->7223 7344 409201 7343->7344 7347 409206 7343->7347 7345 4039b3 ___initmbctable 111 API calls 7344->7345 7345->7347 7346 402f9d 7349 401000 7346->7349 7347->7346 7348 40c1d4 __wincmdln 77 API calls 7347->7348 7348->7347 8318 40260c GetSystemTimeAsFileTime 7349->8318 7351 401077 8320 401540 7351->8320 7358 401540 GetSystemTimeAsFileTime 7359 401116 7358->7359 7360 401540 GetSystemTimeAsFileTime 7359->7360 7361 401125 7360->7361 8329 4014e0 7361->8329 7365 401166 8349 401a63 7365->8349 7368 401913 _malloc 67 API calls 7370 401186 7368->7370 7369 401a80 _printf 105 API calls 7369->7370 7370->7369 7380 401239 7370->7380 7371 401540 GetSystemTimeAsFileTime 7371->7380 7373 401500 124 API calls 7373->7380 7376 401a80 105 API calls _printf 7376->7380 7377 4014b9 7379 40265d __setmbcp_nolock 5 API calls 7377->7379 7381 4014cf 7379->7381 7380->7371 7380->7373 7380->7376 7380->7377 8352 401867 7380->8352 8356 401725 7380->8356 8360 40157e 7380->8360 8364 401520 7380->8364 7381->7230 7397 405b9c 7381->7397 7383 402e8a 7382->7383 7384 402e8f 7382->7384 7385 405ddf __FF_MSGBANNER 67 API calls 7383->7385 7386 405c34 __NMSG_WRITE 67 API calls 7384->7386 7385->7384 7387 402e97 7386->7387 7388 405980 __mtinitlocknum 3 API calls 7387->7388 7389 402ea1 7388->7389 7389->7201 7391 405ddf __FF_MSGBANNER 67 API calls 7390->7391 7392 405936 7391->7392 7393 405c34 __NMSG_WRITE 67 API calls 7392->7393 7394 40593e 7393->7394 7395 403d71 __decode_pointer 6 API calls 7394->7395 7396 402f4e 7395->7396 7396->7209 9142 405a70 7397->9142 7399 405bad 7399->7230 7401 405a70 _doexit 67 API calls 7400->7401 7402 405bd3 7401->7402 7402->7233 7404 405907 Sleep GetModuleHandleW 7403->7404 7405 405925 7404->7405 7406 404120 7404->7406 7405->7404 7405->7406 7406->7238 7473 403d68 7407->7473 7409 405bee __init_pointers __initp_misc_winsig 7476 40af45 7409->7476 7412 403cf6 __encode_pointer 6 API calls 7413 4041d8 7412->7413 7414 403cf6 TlsGetValue 7413->7414 7415 403d0e 7414->7415 7416 403d2f GetModuleHandleW 7414->7416 7415->7416 7417 403d18 TlsGetValue 7415->7417 7418 403d4a GetProcAddress 7416->7418 7419 403d3f 7416->7419 7422 403d23 7417->7422 7421 403d27 7418->7421 7420 4058fc __crt_waiting_on_module_handle 2 API calls 7419->7420 7423 403d45 7420->7423 7421->7254 7422->7416 7422->7421 7423->7418 7423->7421 7425 404a70 7424->7425 7427 404220 7425->7427 7479 40a734 7425->7479 7427->7241 7428 403d71 TlsGetValue 7427->7428 7429 403d89 7428->7429 7430 403daa GetModuleHandleW 7428->7430 7429->7430 7431 403d93 TlsGetValue 7429->7431 7432 403dc5 GetProcAddress 7430->7432 7433 403dba 7430->7433 7437 403d9e 7431->7437 7435 403da2 7432->7435 7434 4058fc __crt_waiting_on_module_handle 2 API calls 7433->7434 7436 403dc0 7434->7436 7435->7241 7438 407e7c 7435->7438 7436->7432 7436->7435 7437->7430 7437->7435 7439 407e85 7438->7439 7441 40424d 7439->7441 7442 407ea3 Sleep 7439->7442 7484 40ba00 7439->7484 7441->7241 7441->7266 7443 407eb8 7442->7443 7443->7439 7443->7441 7775 4056d8 7444->7775 7446 403e69 GetModuleHandleW 7447 403e79 7446->7447 7451 403e7f 7446->7451 7448 4058fc __crt_waiting_on_module_handle 2 API calls 7447->7448 7448->7451 7449 403e97 GetProcAddress GetProcAddress 7450 403ebb 7449->7450 7452 404be1 __lock 63 API calls 7450->7452 7451->7449 7451->7450 7453 403eda InterlockedIncrement 7452->7453 7776 403f32 7453->7776 7456 404be1 __lock 63 API calls 7457 403efb 7456->7457 7779 403b1a InterlockedIncrement 7457->7779 7459 403f19 7791 403f3b 7459->7791 7461 403f26 __commit 7461->7270 7463 403e2a 7462->7463 7466 403e36 7462->7466 7464 403d71 __decode_pointer 6 API calls 7463->7464 7464->7466 7465 403e4a TlsFree 7467 403e58 7465->7467 7466->7465 7466->7467 7468 404acc DeleteCriticalSection 7467->7468 7469 404ae4 7467->7469 7470 407d41 __freea 67 API calls 7468->7470 7471 404af6 DeleteCriticalSection 7469->7471 7472 404b04 7469->7472 7470->7467 7471->7469 7472->7247 7474 403cf6 __encode_pointer 6 API calls 7473->7474 7475 403d6f 7474->7475 7475->7409 7477 403cf6 __encode_pointer 6 API calls 7476->7477 7478 405c20 7477->7478 7478->7412 7483 4056d8 7479->7483 7481 40a740 InitializeCriticalSectionAndSpinCount 7482 40a784 __commit 7481->7482 7482->7425 7483->7481 7485 40ba0c __commit 7484->7485 7486 40ba24 7485->7486 7496 40ba43 _memset 7485->7496 7497 4046bf 7486->7497 7490 40bab5 HeapAlloc 7490->7496 7491 40ba39 __commit 7491->7439 7496->7490 7496->7491 7503 404be1 7496->7503 7510 4053f3 7496->7510 7516 40bafc 7496->7516 7519 405e27 7496->7519 7522 403f44 GetLastError 7497->7522 7499 4046c4 7500 405f86 7499->7500 7501 403d71 __decode_pointer 6 API calls 7500->7501 7502 405f96 __invoke_watson 7501->7502 7504 404bf6 7503->7504 7505 404c09 EnterCriticalSection 7503->7505 7570 404b1e 7504->7570 7505->7496 7507 404bfc 7507->7505 7508 40592c __amsg_exit 66 API calls 7507->7508 7509 404c08 7508->7509 7509->7505 7511 405421 7510->7511 7512 4054ba 7511->7512 7515 4054c3 7511->7515 7763 404f5a 7511->7763 7512->7515 7770 40500a 7512->7770 7515->7496 7774 404b07 LeaveCriticalSection 7516->7774 7518 40bb03 7518->7496 7520 403d71 __decode_pointer 6 API calls 7519->7520 7521 405e37 7520->7521 7521->7496 7537 403dec TlsGetValue 7522->7537 7525 403fb1 SetLastError 7525->7499 7526 407e7c __calloc_crt 64 API calls 7527 403f6f 7526->7527 7527->7525 7528 403f77 7527->7528 7529 403d71 __decode_pointer 6 API calls 7528->7529 7530 403f89 7529->7530 7531 403f90 7530->7531 7532 403fa8 7530->7532 7533 403e5d __getptd_noexit 64 API calls 7531->7533 7542 407d41 7532->7542 7535 403f98 GetCurrentThreadId 7533->7535 7535->7525 7536 403fae 7536->7525 7538 403e01 7537->7538 7539 403e1c 7537->7539 7540 403d71 __decode_pointer 6 API calls 7538->7540 7539->7525 7539->7526 7541 403e0c TlsSetValue 7540->7541 7541->7539 7544 407d4d __commit 7542->7544 7543 407dc6 __commit _realloc 7543->7536 7544->7543 7546 404be1 __lock 65 API calls 7544->7546 7554 407d8c 7544->7554 7545 407da1 HeapFree 7545->7543 7547 407db3 7545->7547 7551 407d64 ___sbh_find_block 7546->7551 7548 4046bf __toupper_l 65 API calls 7547->7548 7549 407db8 GetLastError 7548->7549 7549->7543 7550 407d7e 7562 407d97 7550->7562 7551->7550 7555 404c44 7551->7555 7554->7543 7554->7545 7556 404c83 7555->7556 7557 404f25 7555->7557 7556->7557 7558 404e6f VirtualFree 7556->7558 7557->7550 7559 404ed3 7558->7559 7559->7557 7560 404ee2 VirtualFree HeapFree 7559->7560 7565 40a7a0 7560->7565 7569 404b07 LeaveCriticalSection 7562->7569 7564 407d9e 7564->7554 7566 40a7b8 7565->7566 7567 40a7df __VEC_memcpy 7566->7567 7568 40a7e7 7566->7568 7567->7568 7568->7557 7569->7564 7571 404b2a __commit 7570->7571 7572 404b50 7571->7572 7596 405ddf 7571->7596 7578 404b60 __commit 7572->7578 7642 407e37 7572->7642 7578->7507 7580 404b81 7582 404be1 __lock 67 API calls 7580->7582 7581 404b72 7584 4046bf __toupper_l 67 API calls 7581->7584 7585 404b88 7582->7585 7584->7578 7586 404b90 7585->7586 7587 404bbc 7585->7587 7588 40a734 ___lock_fhandle InitializeCriticalSectionAndSpinCount 7586->7588 7589 407d41 __freea 67 API calls 7587->7589 7590 404b9b 7588->7590 7591 404bad 7589->7591 7590->7591 7593 407d41 __freea 67 API calls 7590->7593 7648 404bd8 7591->7648 7594 404ba7 7593->7594 7595 4046bf __toupper_l 67 API calls 7594->7595 7595->7591 7651 40b2ef 7596->7651 7599 405df3 7601 405c34 __NMSG_WRITE 67 API calls 7599->7601 7604 404b3f 7599->7604 7600 40b2ef __set_error_mode 67 API calls 7600->7599 7602 405e0b 7601->7602 7603 405c34 __NMSG_WRITE 67 API calls 7602->7603 7603->7604 7605 405c34 7604->7605 7606 405c48 7605->7606 7607 40b2ef __set_error_mode 64 API calls 7606->7607 7638 404b46 7606->7638 7608 405c6a 7607->7608 7609 405da8 GetStdHandle 7608->7609 7610 40b2ef __set_error_mode 64 API calls 7608->7610 7611 405db6 _strlen 7609->7611 7609->7638 7612 405c7b 7610->7612 7614 405dcf WriteFile 7611->7614 7611->7638 7612->7609 7613 405c8d 7612->7613 7613->7638 7657 407dcf 7613->7657 7614->7638 7617 405cc3 GetModuleFileNameA 7619 405ce1 7617->7619 7623 405d04 _strlen 7617->7623 7621 407dcf _strcpy_s 64 API calls 7619->7621 7622 405cf1 7621->7622 7622->7623 7624 405e5e __invoke_watson 10 API calls 7622->7624 7635 405d47 7623->7635 7673 40a306 7623->7673 7624->7623 7628 405d6b 7631 40a244 _strcat_s 64 API calls 7628->7631 7630 405e5e __invoke_watson 10 API calls 7630->7628 7632 405d7f 7631->7632 7634 405d90 7632->7634 7636 405e5e __invoke_watson 10 API calls 7632->7636 7633 405e5e __invoke_watson 10 API calls 7633->7635 7691 40b186 7634->7691 7682 40a244 7635->7682 7636->7634 7639 405980 7638->7639 7729 405955 GetModuleHandleW 7639->7729 7644 407e40 7642->7644 7645 404b6b 7644->7645 7646 407e57 Sleep 7644->7646 7732 401913 7644->7732 7645->7580 7645->7581 7647 407e6c 7646->7647 7647->7644 7647->7645 7762 404b07 LeaveCriticalSection 7648->7762 7650 404bdf 7650->7578 7652 40b2fe 7651->7652 7653 405de6 7652->7653 7654 4046bf __toupper_l 67 API calls 7652->7654 7653->7599 7653->7600 7655 40b321 7654->7655 7656 405f86 __strnicoll_l 6 API calls 7655->7656 7656->7653 7658 407de0 7657->7658 7659 407de7 7657->7659 7658->7659 7662 407e0d 7658->7662 7660 4046bf __toupper_l 67 API calls 7659->7660 7665 407dec 7660->7665 7661 405f86 __strnicoll_l 6 API calls 7663 405caf 7661->7663 7662->7663 7664 4046bf __toupper_l 67 API calls 7662->7664 7663->7617 7666 405e5e 7663->7666 7664->7665 7665->7661 7718 408de0 7666->7718 7668 405e8b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7669 405f67 GetCurrentProcess TerminateProcess 7668->7669 7670 405f5b __invoke_watson 7668->7670 7720 40265d 7669->7720 7670->7669 7672 405cc0 7672->7617 7677 40a318 7673->7677 7674 40a31c 7675 4046bf __toupper_l 67 API calls 7674->7675 7676 405d34 7674->7676 7681 40a338 7675->7681 7676->7633 7676->7635 7677->7674 7677->7676 7679 40a362 7677->7679 7678 405f86 __strnicoll_l 6 API calls 7678->7676 7679->7676 7680 4046bf __toupper_l 67 API calls 7679->7680 7680->7681 7681->7678 7683 40a255 7682->7683 7684 40a25c 7682->7684 7683->7684 7688 40a290 7683->7688 7685 4046bf __toupper_l 67 API calls 7684->7685 7690 40a261 7685->7690 7686 405f86 __strnicoll_l 6 API calls 7687 405d5a 7686->7687 7687->7628 7687->7630 7688->7687 7689 4046bf __toupper_l 67 API calls 7688->7689 7689->7690 7690->7686 7692 403d68 ___crtMessageBoxW 6 API calls 7691->7692 7693 40b196 7692->7693 7694 40b231 7693->7694 7695 40b1a9 LoadLibraryA 7693->7695 7702 403d71 __decode_pointer 6 API calls 7694->7702 7709 40b25b 7694->7709 7696 40b2d3 7695->7696 7697 40b1be GetProcAddress 7695->7697 7696->7638 7697->7696 7698 40b1d4 7697->7698 7699 403cf6 __encode_pointer 6 API calls 7698->7699 7703 40b1da GetProcAddress 7699->7703 7700 403d71 __decode_pointer 6 API calls 7700->7696 7701 403d71 __decode_pointer 6 API calls 7711 40b29e 7701->7711 7704 40b24e 7702->7704 7706 403cf6 __encode_pointer 6 API calls 7703->7706 7705 403d71 __decode_pointer 6 API calls 7704->7705 7705->7709 7707 40b1ef GetProcAddress 7706->7707 7708 403cf6 __encode_pointer 6 API calls 7707->7708 7710 40b204 GetProcAddress 7708->7710 7709->7701 7717 40b286 7709->7717 7712 403cf6 __encode_pointer 6 API calls 7710->7712 7713 403d71 __decode_pointer 6 API calls 7711->7713 7711->7717 7714 40b219 7712->7714 7713->7717 7714->7694 7715 40b223 GetProcAddress 7714->7715 7716 403cf6 __encode_pointer 6 API calls 7715->7716 7716->7694 7717->7700 7719 408dec __VEC_memzero 7718->7719 7719->7668 7721 402665 7720->7721 7722 402667 IsDebuggerPresent 7720->7722 7721->7672 7728 40b33a 7722->7728 7725 408da5 SetUnhandledExceptionFilter UnhandledExceptionFilter 7726 408dc2 __invoke_watson 7725->7726 7727 408dca GetCurrentProcess TerminateProcess 7725->7727 7726->7727 7727->7672 7728->7725 7730 405969 GetProcAddress 7729->7730 7731 405979 ExitProcess 7729->7731 7730->7731 7733 4019c6 7732->7733 7742 401925 7732->7742 7734 405e27 _malloc 6 API calls 7733->7734 7735 4019cc 7734->7735 7737 4046bf __toupper_l 66 API calls 7735->7737 7736 405ddf __FF_MSGBANNER 66 API calls 7743 401936 7736->7743 7749 4019be 7737->7749 7739 405c34 __NMSG_WRITE 66 API calls 7739->7743 7740 401982 RtlAllocateHeap 7740->7742 7741 405980 __mtinitlocknum 3 API calls 7741->7743 7742->7740 7742->7743 7744 4019b2 7742->7744 7745 405e27 _malloc 6 API calls 7742->7745 7747 4019b7 7742->7747 7742->7749 7750 4018c4 7742->7750 7743->7736 7743->7739 7743->7741 7743->7742 7746 4046bf __toupper_l 66 API calls 7744->7746 7745->7742 7746->7747 7748 4046bf __toupper_l 66 API calls 7747->7748 7748->7749 7749->7644 7751 4018d0 __commit 7750->7751 7752 401901 __commit 7751->7752 7753 404be1 __lock 67 API calls 7751->7753 7752->7742 7754 4018e6 7753->7754 7755 4053f3 ___sbh_alloc_block 5 API calls 7754->7755 7756 4018f1 7755->7756 7758 40190a 7756->7758 7761 404b07 LeaveCriticalSection 7758->7761 7760 401911 7760->7752 7761->7760 7762->7650 7764 404fa1 HeapAlloc 7763->7764 7765 404f6d HeapReAlloc 7763->7765 7767 404fc4 VirtualAlloc 7764->7767 7768 404f8b 7764->7768 7766 404f8f 7765->7766 7765->7768 7766->7764 7767->7768 7769 404fde HeapFree 7767->7769 7768->7512 7769->7768 7771 405021 VirtualAlloc 7770->7771 7773 405068 7771->7773 7773->7515 7774->7518 7775->7446 7794 404b07 LeaveCriticalSection 7776->7794 7778 403ef4 7778->7456 7780 403b38 InterlockedIncrement 7779->7780 7781 403b3b 7779->7781 7780->7781 7782 403b45 InterlockedIncrement 7781->7782 7783 403b48 7781->7783 7782->7783 7784 403b52 InterlockedIncrement 7783->7784 7785 403b55 7783->7785 7784->7785 7786 403b5f InterlockedIncrement 7785->7786 7787 403b62 7785->7787 7786->7787 7788 403b7b InterlockedIncrement 7787->7788 7789 403b96 InterlockedIncrement 7787->7789 7790 403b8b InterlockedIncrement 7787->7790 7788->7787 7789->7459 7790->7787 7795 404b07 LeaveCriticalSection 7791->7795 7793 403f42 7793->7461 7794->7778 7795->7793 7796->7273 7798 40934f 7797->7798 7801 4093bc 7798->7801 7807 40c1d4 7798->7807 7800 4094ba 7800->7317 7800->7319 7801->7800 7802 40c1d4 77 API calls __wincmdln 7801->7802 7802->7801 7804 4039bc 7803->7804 7805 4039c3 7803->7805 8029 403819 7804->8029 7805->7312 7810 40c181 7807->7810 7813 401589 7810->7813 7814 40159c 7813->7814 7820 4015e9 7813->7820 7821 403fbd 7814->7821 7817 4015c9 7817->7820 7841 403514 7817->7841 7820->7798 7822 403f44 __getptd_noexit 67 API calls 7821->7822 7823 403fc5 7822->7823 7824 4015a1 7823->7824 7825 40592c __amsg_exit 67 API calls 7823->7825 7824->7817 7826 403c80 7824->7826 7825->7824 7827 403c8c __commit 7826->7827 7828 403fbd __getptd 67 API calls 7827->7828 7829 403c91 7828->7829 7830 403cbf 7829->7830 7832 403ca3 7829->7832 7831 404be1 __lock 67 API calls 7830->7831 7833 403cc6 7831->7833 7834 403fbd __getptd 67 API calls 7832->7834 7857 403c42 7833->7857 7836 403ca8 7834->7836 7839 403cb6 __commit 7836->7839 7840 40592c __amsg_exit 67 API calls 7836->7840 7839->7817 7840->7839 7842 403520 __commit 7841->7842 7843 403fbd __getptd 67 API calls 7842->7843 7844 403525 7843->7844 7845 403537 7844->7845 7846 404be1 __lock 67 API calls 7844->7846 7848 403545 __commit 7845->7848 7850 40592c __amsg_exit 67 API calls 7845->7850 7847 403555 7846->7847 7849 40359e 7847->7849 7852 403586 InterlockedIncrement 7847->7852 7853 40356c InterlockedDecrement 7847->7853 7848->7820 8025 4035af 7849->8025 7850->7848 7852->7849 7853->7852 7854 403577 7853->7854 7854->7852 7855 407d41 __freea 67 API calls 7854->7855 7856 403585 7855->7856 7856->7852 7858 403c46 7857->7858 7859 403c78 7857->7859 7858->7859 7860 403b1a ___addlocaleref 8 API calls 7858->7860 7865 403cea 7859->7865 7861 403c59 7860->7861 7861->7859 7868 403ba9 7861->7868 8024 404b07 LeaveCriticalSection 7865->8024 7867 403cf1 7867->7836 7869 403bba InterlockedDecrement 7868->7869 7870 403c3d 7868->7870 7871 403bd2 7869->7871 7872 403bcf InterlockedDecrement 7869->7872 7870->7859 7882 4039d1 7870->7882 7873 403bdc InterlockedDecrement 7871->7873 7874 403bdf 7871->7874 7872->7871 7873->7874 7875 403be9 InterlockedDecrement 7874->7875 7876 403bec 7874->7876 7875->7876 7877 403bf6 InterlockedDecrement 7876->7877 7879 403bf9 7876->7879 7877->7879 7878 403c12 InterlockedDecrement 7878->7879 7879->7878 7880 403c22 InterlockedDecrement 7879->7880 7881 403c2d InterlockedDecrement 7879->7881 7880->7879 7881->7870 7883 403a55 7882->7883 7885 4039e8 7882->7885 7884 403aa2 7883->7884 7886 407d41 __freea 67 API calls 7883->7886 7897 403ac9 7884->7897 7936 409fb6 7884->7936 7885->7883 7887 403a1c 7885->7887 7895 407d41 __freea 67 API calls 7885->7895 7889 403a76 7886->7889 7891 403a3d 7887->7891 7902 407d41 __freea 67 API calls 7887->7902 7892 407d41 __freea 67 API calls 7889->7892 7893 407d41 __freea 67 API calls 7891->7893 7898 403a89 7892->7898 7899 403a4a 7893->7899 7894 403b0e 7900 407d41 __freea 67 API calls 7894->7900 7901 403a11 7895->7901 7896 407d41 __freea 67 API calls 7896->7897 7897->7894 7906 407d41 67 API calls __freea 7897->7906 7903 407d41 __freea 67 API calls 7898->7903 7907 407d41 __freea 67 API calls 7899->7907 7908 403b14 7900->7908 7912 40a190 7901->7912 7904 403a32 7902->7904 7905 403a97 7903->7905 7928 40a14b 7904->7928 7911 407d41 __freea 67 API calls 7905->7911 7906->7897 7907->7883 7908->7859 7911->7884 7913 40a19d 7912->7913 7927 40a21a 7912->7927 7914 40a1ae 7913->7914 7915 407d41 __freea 67 API calls 7913->7915 7916 40a1c0 7914->7916 7917 407d41 __freea 67 API calls 7914->7917 7915->7914 7918 40a1d2 7916->7918 7919 407d41 __freea 67 API calls 7916->7919 7917->7916 7920 40a1e4 7918->7920 7921 407d41 __freea 67 API calls 7918->7921 7919->7918 7922 40a1f6 7920->7922 7923 407d41 __freea 67 API calls 7920->7923 7921->7920 7924 40a208 7922->7924 7925 407d41 __freea 67 API calls 7922->7925 7923->7922 7926 407d41 __freea 67 API calls 7924->7926 7924->7927 7925->7924 7926->7927 7927->7887 7929 40a158 7928->7929 7935 40a18c 7928->7935 7930 40a168 7929->7930 7931 407d41 __freea 67 API calls 7929->7931 7932 40a17a 7930->7932 7933 407d41 __freea 67 API calls 7930->7933 7931->7930 7934 407d41 __freea 67 API calls 7932->7934 7932->7935 7933->7932 7934->7935 7935->7891 7937 409fc7 7936->7937 7938 403ac2 7936->7938 7939 407d41 __freea 67 API calls 7937->7939 7938->7896 7940 409fcf 7939->7940 7941 407d41 __freea 67 API calls 7940->7941 7942 409fd7 7941->7942 7943 407d41 __freea 67 API calls 7942->7943 7944 409fdf 7943->7944 7945 407d41 __freea 67 API calls 7944->7945 7946 409fe7 7945->7946 7947 407d41 __freea 67 API calls 7946->7947 7948 409fef 7947->7948 7949 407d41 __freea 67 API calls 7948->7949 7950 409ff7 7949->7950 7951 407d41 __freea 67 API calls 7950->7951 7952 409ffe 7951->7952 7953 407d41 __freea 67 API calls 7952->7953 7954 40a006 7953->7954 7955 407d41 __freea 67 API calls 7954->7955 7956 40a00e 7955->7956 7957 407d41 __freea 67 API calls 7956->7957 7958 40a016 7957->7958 7959 407d41 __freea 67 API calls 7958->7959 7960 40a01e 7959->7960 7961 407d41 __freea 67 API calls 7960->7961 7962 40a026 7961->7962 7963 407d41 __freea 67 API calls 7962->7963 7964 40a02e 7963->7964 7965 407d41 __freea 67 API calls 7964->7965 7966 40a036 7965->7966 7967 407d41 __freea 67 API calls 7966->7967 7968 40a03e 7967->7968 7969 407d41 __freea 67 API calls 7968->7969 7970 40a046 7969->7970 7971 407d41 __freea 67 API calls 7970->7971 7972 40a051 7971->7972 7973 407d41 __freea 67 API calls 7972->7973 7974 40a059 7973->7974 7975 407d41 __freea 67 API calls 7974->7975 7976 40a061 7975->7976 7977 407d41 __freea 67 API calls 7976->7977 7978 40a069 7977->7978 7979 407d41 __freea 67 API calls 7978->7979 7980 40a071 7979->7980 7981 407d41 __freea 67 API calls 7980->7981 7982 40a079 7981->7982 7983 407d41 __freea 67 API calls 7982->7983 7984 40a081 7983->7984 7985 407d41 __freea 67 API calls 7984->7985 7986 40a089 7985->7986 7987 407d41 __freea 67 API calls 7986->7987 7988 40a091 7987->7988 7989 407d41 __freea 67 API calls 7988->7989 7990 40a099 7989->7990 7991 407d41 __freea 67 API calls 7990->7991 7992 40a0a1 7991->7992 7993 407d41 __freea 67 API calls 7992->7993 7994 40a0a9 7993->7994 7995 407d41 __freea 67 API calls 7994->7995 7996 40a0b1 7995->7996 7997 407d41 __freea 67 API calls 7996->7997 7998 40a0b9 7997->7998 7999 407d41 __freea 67 API calls 7998->7999 8000 40a0c1 7999->8000 8001 407d41 __freea 67 API calls 8000->8001 8002 40a0c9 8001->8002 8003 407d41 __freea 67 API calls 8002->8003 8004 40a0d7 8003->8004 8005 407d41 __freea 67 API calls 8004->8005 8006 40a0e2 8005->8006 8007 407d41 __freea 67 API calls 8006->8007 8008 40a0ed 8007->8008 8009 407d41 __freea 67 API calls 8008->8009 8010 40a0f8 8009->8010 8011 407d41 __freea 67 API calls 8010->8011 8012 40a103 8011->8012 8013 407d41 __freea 67 API calls 8012->8013 8014 40a10e 8013->8014 8015 407d41 __freea 67 API calls 8014->8015 8016 40a119 8015->8016 8017 407d41 __freea 67 API calls 8016->8017 8018 40a124 8017->8018 8019 407d41 __freea 67 API calls 8018->8019 8020 40a12f 8019->8020 8021 407d41 __freea 67 API calls 8020->8021 8022 40a13a 8021->8022 8023 407d41 __freea 67 API calls 8022->8023 8023->7938 8024->7867 8028 404b07 LeaveCriticalSection 8025->8028 8027 4035b6 8027->7845 8028->8027 8030 403825 __commit 8029->8030 8031 403fbd __getptd 67 API calls 8030->8031 8032 40382e 8031->8032 8033 403514 __setmbcp 69 API calls 8032->8033 8034 403838 8033->8034 8060 4035b8 8034->8060 8037 407e37 __malloc_crt 67 API calls 8038 403859 8037->8038 8039 403978 __commit 8038->8039 8067 403634 8038->8067 8039->7805 8042 403985 8042->8039 8046 403998 8042->8046 8048 407d41 __freea 67 API calls 8042->8048 8043 403889 InterlockedDecrement 8044 403899 8043->8044 8045 4038aa InterlockedIncrement 8043->8045 8044->8045 8050 407d41 __freea 67 API calls 8044->8050 8045->8039 8047 4038c0 8045->8047 8049 4046bf __toupper_l 67 API calls 8046->8049 8047->8039 8052 404be1 __lock 67 API calls 8047->8052 8048->8046 8049->8039 8051 4038a9 8050->8051 8051->8045 8054 4038d4 InterlockedDecrement 8052->8054 8055 403950 8054->8055 8056 403963 InterlockedIncrement 8054->8056 8055->8056 8058 407d41 __freea 67 API calls 8055->8058 8077 40397a 8056->8077 8059 403962 8058->8059 8059->8056 8061 401589 __toupper_l 77 API calls 8060->8061 8062 4035cc 8061->8062 8063 4035f5 8062->8063 8064 4035d7 GetOEMCP 8062->8064 8065 4035fa GetACP 8063->8065 8066 4035e7 8063->8066 8064->8066 8065->8066 8066->8037 8066->8039 8068 4035b8 getSystemCP 79 API calls 8067->8068 8069 403654 8068->8069 8070 40365f setSBCS 8069->8070 8072 4036a3 IsValidCodePage 8069->8072 8076 4036c8 _memset __setmbcp_nolock 8069->8076 8071 40265d __setmbcp_nolock 5 API calls 8070->8071 8073 403817 8071->8073 8072->8070 8074 4036b5 GetCPInfo 8072->8074 8073->8042 8073->8043 8074->8070 8074->8076 8080 403381 GetCPInfo 8076->8080 8213 404b07 LeaveCriticalSection 8077->8213 8079 403981 8079->8039 8083 4033b5 _memset 8080->8083 8089 403467 8080->8089 8090 409f74 8083->8090 8085 40265d __setmbcp_nolock 5 API calls 8087 403512 8085->8087 8087->8076 8088 404638 ___crtLCMapStringA 102 API calls 8088->8089 8089->8085 8091 401589 __toupper_l 77 API calls 8090->8091 8092 409f87 8091->8092 8100 409dba 8092->8100 8095 404638 8096 401589 __toupper_l 77 API calls 8095->8096 8097 40464b 8096->8097 8166 404293 8097->8166 8101 409e06 8100->8101 8102 409ddb GetStringTypeW 8100->8102 8103 409df3 8101->8103 8105 409eed 8101->8105 8102->8103 8104 409dfb GetLastError 8102->8104 8106 409e3f MultiByteToWideChar 8103->8106 8123 409ee7 8103->8123 8104->8101 8128 40a490 GetLocaleInfoA 8105->8128 8111 409e6c 8106->8111 8106->8123 8108 40265d __setmbcp_nolock 5 API calls 8110 403422 8108->8110 8110->8095 8115 409e81 _memset __alloca_probe_16 8111->8115 8116 401913 _malloc 67 API calls 8111->8116 8112 409f3e GetStringTypeA 8114 409f59 8112->8114 8112->8123 8113 409eba MultiByteToWideChar 8119 409ed0 GetStringTypeW 8113->8119 8120 409ee1 8113->8120 8121 407d41 __freea 67 API calls 8114->8121 8115->8113 8115->8123 8116->8115 8119->8120 8124 401b45 8120->8124 8121->8123 8123->8108 8125 401b51 8124->8125 8126 401b62 8124->8126 8125->8126 8127 407d41 __freea 67 API calls 8125->8127 8126->8123 8127->8126 8129 40a4c3 8128->8129 8132 40a4be 8128->8132 8159 4018a3 8129->8159 8131 40265d __setmbcp_nolock 5 API calls 8133 409f11 8131->8133 8132->8131 8133->8112 8133->8123 8134 40a4d9 8133->8134 8135 40a5a3 8134->8135 8136 40a519 GetCPInfo 8134->8136 8139 40265d __setmbcp_nolock 5 API calls 8135->8139 8137 40a530 8136->8137 8138 40a58e MultiByteToWideChar 8136->8138 8137->8138 8140 40a536 GetCPInfo 8137->8140 8138->8135 8143 40a549 _strlen 8138->8143 8141 409f32 8139->8141 8140->8138 8142 40a543 8140->8142 8141->8112 8141->8123 8142->8138 8142->8143 8144 401913 _malloc 67 API calls 8143->8144 8146 40a57b _memset __alloca_probe_16 8143->8146 8144->8146 8145 40a5d8 MultiByteToWideChar 8147 40a5f0 8145->8147 8148 40a60f 8145->8148 8146->8135 8146->8145 8150 40a614 8147->8150 8151 40a5f7 WideCharToMultiByte 8147->8151 8149 401b45 __freea 67 API calls 8148->8149 8149->8135 8152 40a633 8150->8152 8153 40a61f WideCharToMultiByte 8150->8153 8151->8148 8154 407e7c __calloc_crt 67 API calls 8152->8154 8153->8148 8153->8152 8155 40a63b 8154->8155 8155->8148 8156 40a644 WideCharToMultiByte 8155->8156 8156->8148 8157 40a656 8156->8157 8158 407d41 __freea 67 API calls 8157->8158 8158->8148 8162 404a3a 8159->8162 8163 404a53 8162->8163 8164 40480b strtoxl 91 API calls 8163->8164 8165 4018b4 8164->8165 8165->8132 8167 4042b4 LCMapStringW 8166->8167 8171 4042cf 8166->8171 8168 4042d7 GetLastError 8167->8168 8167->8171 8168->8171 8169 4044cd 8174 40a490 ___ansicp 91 API calls 8169->8174 8170 404329 8172 4044c4 8170->8172 8173 404342 MultiByteToWideChar 8170->8173 8171->8169 8171->8170 8175 40265d __setmbcp_nolock 5 API calls 8172->8175 8173->8172 8182 40436f 8173->8182 8176 4044f5 8174->8176 8177 403442 8175->8177 8176->8172 8178 4045e9 LCMapStringA 8176->8178 8179 40450e 8176->8179 8177->8088 8212 404545 8178->8212 8180 40a4d9 ___convertcp 74 API calls 8179->8180 8184 404520 8180->8184 8181 4043c0 MultiByteToWideChar 8185 4043d9 LCMapStringW 8181->8185 8206 4044bb 8181->8206 8183 401913 _malloc 67 API calls 8182->8183 8191 404388 __alloca_probe_16 8182->8191 8183->8191 8184->8172 8187 40452a LCMapStringA 8184->8187 8189 4043fa 8185->8189 8185->8206 8186 404610 8186->8172 8192 407d41 __freea 67 API calls 8186->8192 8195 40454c 8187->8195 8187->8212 8188 401b45 __freea 67 API calls 8188->8172 8193 404403 8189->8193 8194 40442c 8189->8194 8190 407d41 __freea 67 API calls 8190->8186 8191->8172 8191->8181 8192->8172 8196 404415 LCMapStringW 8193->8196 8193->8206 8199 404447 __alloca_probe_16 8194->8199 8200 401913 _malloc 67 API calls 8194->8200 8197 40455d _memset __alloca_probe_16 8195->8197 8201 401913 _malloc 67 API calls 8195->8201 8196->8206 8205 40459b LCMapStringA 8197->8205 8197->8212 8198 40447b LCMapStringW 8202 404493 WideCharToMultiByte 8198->8202 8203 4044b5 8198->8203 8199->8198 8199->8206 8200->8199 8201->8197 8202->8203 8204 401b45 __freea 67 API calls 8203->8204 8204->8206 8207 4045b7 8205->8207 8208 4045bb 8205->8208 8206->8188 8211 401b45 __freea 67 API calls 8207->8211 8210 40a4d9 ___convertcp 74 API calls 8208->8210 8210->8207 8211->8212 8212->8186 8212->8190 8213->8079 8215 40aef1 8214->8215 8216 403cf6 __encode_pointer 6 API calls 8215->8216 8217 40af09 8215->8217 8216->8215 8217->7340 8221 40ae98 8218->8221 8220 40aee1 8220->7342 8222 40aea4 __commit 8221->8222 8229 405998 8222->8229 8228 40aec5 __commit 8228->8220 8230 404be1 __lock 67 API calls 8229->8230 8231 40599f 8230->8231 8232 40adad 8231->8232 8233 403d71 __decode_pointer 6 API calls 8232->8233 8234 40adc1 8233->8234 8235 403d71 __decode_pointer 6 API calls 8234->8235 8236 40add1 8235->8236 8245 40ae54 8236->8245 8252 40cfdf 8236->8252 8238 403cf6 __encode_pointer 6 API calls 8241 40ae49 8238->8241 8239 40adef 8240 40ae13 8239->8240 8248 40ae3b 8239->8248 8265 407ec8 8239->8265 8244 407ec8 __realloc_crt 73 API calls 8240->8244 8240->8245 8246 40ae29 8240->8246 8243 403cf6 __encode_pointer 6 API calls 8241->8243 8243->8245 8244->8246 8249 40aece 8245->8249 8246->8245 8247 403cf6 __encode_pointer 6 API calls 8246->8247 8247->8248 8248->8238 8314 4059a1 8249->8314 8253 40cfeb __commit 8252->8253 8254 40d018 8253->8254 8255 40cffb 8253->8255 8257 40d059 HeapSize 8254->8257 8259 404be1 __lock 67 API calls 8254->8259 8256 4046bf __toupper_l 67 API calls 8255->8256 8258 40d000 8256->8258 8261 40d010 __commit 8257->8261 8260 405f86 __strnicoll_l 6 API calls 8258->8260 8262 40d028 ___sbh_find_block 8259->8262 8260->8261 8261->8239 8270 40d079 8262->8270 8268 407ed1 8265->8268 8267 407f10 8267->8240 8268->8267 8269 407ef1 Sleep 8268->8269 8274 40bb1e 8268->8274 8269->8268 8273 404b07 LeaveCriticalSection 8270->8273 8272 40d054 8272->8257 8272->8261 8273->8272 8275 40bb2a __commit 8274->8275 8276 40bb31 8275->8276 8277 40bb3f 8275->8277 8278 401913 _malloc 67 API calls 8276->8278 8279 40bb52 8277->8279 8280 40bb46 8277->8280 8295 40bb39 __commit _realloc 8278->8295 8287 40bcc4 8279->8287 8308 40bb5f ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 8279->8308 8281 407d41 __freea 67 API calls 8280->8281 8281->8295 8282 40bcf7 8283 405e27 _malloc 6 API calls 8282->8283 8286 40bcfd 8283->8286 8284 404be1 __lock 67 API calls 8284->8308 8285 40bcc9 HeapReAlloc 8285->8287 8285->8295 8288 4046bf __toupper_l 67 API calls 8286->8288 8287->8282 8287->8285 8289 40bd1b 8287->8289 8290 405e27 _malloc 6 API calls 8287->8290 8292 40bd11 8287->8292 8288->8295 8291 4046bf __toupper_l 67 API calls 8289->8291 8289->8295 8290->8287 8293 40bd24 GetLastError 8291->8293 8296 4046bf __toupper_l 67 API calls 8292->8296 8293->8295 8295->8268 8298 40bc92 8296->8298 8297 40bbea HeapAlloc 8297->8308 8298->8295 8300 40bc97 GetLastError 8298->8300 8299 40bc3f HeapReAlloc 8299->8308 8300->8295 8301 4053f3 ___sbh_alloc_block 5 API calls 8301->8308 8302 40bcaa 8302->8295 8304 4046bf __toupper_l 67 API calls 8302->8304 8303 405e27 _malloc 6 API calls 8303->8308 8305 40bcb7 8304->8305 8305->8293 8305->8295 8306 40bc8d 8307 4046bf __toupper_l 67 API calls 8306->8307 8307->8298 8308->8282 8308->8284 8308->8295 8308->8297 8308->8299 8308->8301 8308->8302 8308->8303 8308->8306 8309 404c44 VirtualFree VirtualFree HeapFree __VEC_memcpy ___sbh_free_block 8308->8309 8310 40bc62 8308->8310 8309->8308 8313 404b07 LeaveCriticalSection 8310->8313 8312 40bc69 8312->8308 8313->8312 8317 404b07 LeaveCriticalSection 8314->8317 8316 4059a8 8316->8228 8317->8316 8319 40263c __aulldiv 8318->8319 8319->7351 8321 40260c __time64 GetSystemTimeAsFileTime 8320->8321 8322 401086 8321->8322 8323 401500 8322->8323 8367 402b8e 8323->8367 8326 4025ed 8698 402449 8326->8698 8762 4028af 8329->8762 8332 401a80 8333 401a8c __commit 8332->8333 8334 401ab7 __stbuf 8333->8334 8335 401a9a 8333->8335 8767 403251 8334->8767 8336 4046bf __toupper_l 67 API calls 8335->8336 8337 401a9f 8336->8337 8338 405f86 __strnicoll_l 6 API calls 8337->8338 8348 401aaf __commit 8338->8348 8340 401ac9 __stbuf 8772 407033 8340->8772 8342 401adb __stbuf 8779 4071a9 8342->8779 8344 401af3 __stbuf 8802 4070cf 8344->8802 8348->7365 8973 4019dd 8349->8973 8351 401177 8351->7368 8353 401885 8352->8353 8354 401875 8352->8354 8988 401751 8353->8988 8354->7380 8357 401743 8356->8357 8358 401733 8356->8358 9007 401610 8357->9007 8358->7380 8361 401564 __stbuf 8360->8361 9019 40302d 8361->9019 8363 40157a 8363->7380 9114 402e6a 8364->9114 8372 408f4a 8367->8372 8369 402b99 8370 401095 8369->8370 8380 4028d6 8369->8380 8370->8326 8373 403f44 __getptd_noexit 67 API calls 8372->8373 8374 408f52 8373->8374 8375 408f58 8374->8375 8376 408f7c 8374->8376 8378 407e37 __malloc_crt 67 API calls 8374->8378 8375->8376 8377 4046bf __toupper_l 67 API calls 8375->8377 8376->8369 8379 408f5d 8377->8379 8378->8375 8379->8369 8381 402910 _memset 8380->8381 8382 4028f2 8380->8382 8385 402928 8381->8385 8393 402941 8381->8393 8383 4046bf __toupper_l 67 API calls 8382->8383 8384 4028f7 8383->8384 8386 405f86 __strnicoll_l 6 API calls 8384->8386 8387 4046bf __toupper_l 67 API calls 8385->8387 8424 402906 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 8386->8424 8388 40292d 8387->8388 8392 405f86 __strnicoll_l 6 API calls 8388->8392 8389 40295f 8394 4046bf __toupper_l 67 API calls 8389->8394 8390 402970 8425 408b70 8390->8425 8392->8424 8393->8389 8393->8390 8394->8424 8395 402975 8433 408365 8395->8433 8398 402990 8439 40839e 8398->8439 8399 402983 8400 405e5e __invoke_watson 10 API calls 8399->8400 8402 40298d 8400->8402 8402->8398 8404 4029ab 8445 4083d7 8404->8445 8405 40299e 8407 405e5e __invoke_watson 10 API calls 8405->8407 8409 4029a8 8407->8409 8409->8404 8410 4029c6 8413 402a40 8410->8413 8416 4029dc 8410->8416 8411 4029b9 8412 405e5e __invoke_watson 10 API calls 8411->8412 8414 4029c3 8412->8414 8415 40266c __gmtime64_s 67 API calls 8413->8415 8414->8410 8417 402a47 8415->8417 8451 40266c 8416->8451 8420 408bbf __localtime64_s 67 API calls 8417->8420 8417->8424 8419 4029f4 8419->8424 8460 408bbf 8419->8460 8420->8424 8422 402a0d 8423 40266c __gmtime64_s 67 API calls 8422->8423 8422->8424 8423->8424 8424->8370 8426 408b7c __commit 8425->8426 8427 408bb0 __commit 8426->8427 8428 404be1 __lock 67 API calls 8426->8428 8427->8395 8430 408b8d 8428->8430 8429 408b9e 8533 408bb6 8429->8533 8430->8429 8468 40845b 8430->8468 8434 408374 8433->8434 8438 40297e 8433->8438 8435 4046bf __toupper_l 67 API calls 8434->8435 8436 408379 8435->8436 8437 405f86 __strnicoll_l 6 API calls 8436->8437 8437->8438 8438->8398 8438->8399 8440 402999 8439->8440 8441 4083ad 8439->8441 8440->8404 8440->8405 8442 4046bf __toupper_l 67 API calls 8441->8442 8443 4083b2 8442->8443 8444 405f86 __strnicoll_l 6 API calls 8443->8444 8444->8440 8446 4029b4 8445->8446 8447 4083e6 8445->8447 8446->8410 8446->8411 8448 4046bf __toupper_l 67 API calls 8447->8448 8449 4083eb 8448->8449 8450 405f86 __strnicoll_l 6 API calls 8449->8450 8450->8446 8452 402682 8451->8452 8454 4026a0 _memset 8451->8454 8453 4046bf __toupper_l 67 API calls 8452->8453 8455 402687 8453->8455 8454->8452 8458 4026b7 8454->8458 8456 405f86 __strnicoll_l 6 API calls 8455->8456 8457 402696 __gmtime64_s __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 8456->8457 8457->8419 8458->8457 8459 4046bf __toupper_l 67 API calls 8458->8459 8459->8457 8461 408bcb __commit 8460->8461 8462 404be1 __lock 67 API calls 8461->8462 8463 408bd2 8462->8463 8674 408998 8463->8674 8467 408bee __commit 8467->8422 8469 408467 __commit 8468->8469 8470 404be1 __lock 67 API calls 8469->8470 8471 408482 __tzset_nolock 8470->8471 8472 4083d7 __get_daylight 67 API calls 8471->8472 8473 408497 8472->8473 8474 4084a9 8473->8474 8475 40849c 8473->8475 8477 408365 __get_daylight 67 API calls 8474->8477 8476 405e5e __invoke_watson 10 API calls 8475->8476 8479 4084a6 8476->8479 8478 4084b2 8477->8478 8480 4084c4 8478->8480 8481 4084b7 8478->8481 8479->8474 8483 40839e __get_daylight 67 API calls 8480->8483 8482 405e5e __invoke_watson 10 API calls 8481->8482 8484 4084c1 8482->8484 8485 4084cd 8483->8485 8484->8480 8486 4084d2 8485->8486 8487 4084df 8485->8487 8488 405e5e __invoke_watson 10 API calls 8486->8488 8536 40a21e 8487->8536 8490 4084dc 8488->8490 8490->8487 8494 40858c 8496 4085a2 GetTimeZoneInformation 8494->8496 8497 407d41 __freea 67 API calls 8494->8497 8495 408514 __tzset_nolock 8504 407d41 __freea 67 API calls 8495->8504 8505 40853d _strlen 8495->8505 8507 40865f __tzset_nolock 8495->8507 8499 4085b5 WideCharToMultiByte 8496->8499 8496->8507 8498 40859b 8497->8498 8498->8496 8502 40862b WideCharToMultiByte 8499->8502 8501 407e37 __malloc_crt 67 API calls 8506 40854b _strlen 8501->8506 8502->8507 8504->8505 8505->8501 8506->8507 8508 407dcf _strcpy_s 67 API calls 8506->8508 8547 408707 8507->8547 8510 40856f 8508->8510 8510->8507 8512 40857a 8510->8512 8513 405e5e __invoke_watson 10 API calls 8512->8513 8515 408584 8513->8515 8514 40a306 __tzset_nolock 67 API calls 8516 4086bd 8514->8516 8515->8507 8517 4086d1 8516->8517 8518 4086c4 8516->8518 8521 4018a3 __tzset_nolock 91 API calls 8517->8521 8519 405e5e __invoke_watson 10 API calls 8518->8519 8520 4086ce 8519->8520 8520->8517 8522 4086e7 8521->8522 8523 40873c 8522->8523 8524 4018a3 __tzset_nolock 91 API calls 8522->8524 8525 40a306 __tzset_nolock 67 API calls 8523->8525 8529 408782 __commit __tzset_nolock 8523->8529 8528 40871c 8524->8528 8526 40876c 8525->8526 8527 408773 8526->8527 8526->8529 8530 405e5e __invoke_watson 10 API calls 8527->8530 8528->8523 8531 4018a3 __tzset_nolock 91 API calls 8528->8531 8529->8429 8532 40877d 8530->8532 8531->8523 8532->8529 8673 404b07 LeaveCriticalSection 8533->8673 8535 408bbd 8535->8427 8537 403fbd __getptd 67 API calls 8536->8537 8538 40a223 8537->8538 8539 4084e4 8538->8539 8540 403c80 ____lc_codepage_func 75 API calls 8538->8540 8541 40bfdd 8539->8541 8540->8539 8542 408506 8541->8542 8543 40bff6 8541->8543 8542->8494 8542->8495 8543->8542 8545 40c008 _strlen 8543->8545 8550 40d969 8543->8550 8545->8542 8560 40d94f 8545->8560 8672 404b07 LeaveCriticalSection 8547->8672 8549 4086a5 8549->8514 8549->8529 8553 40d984 8550->8553 8558 40d9e9 8550->8558 8551 40d98a WideCharToMultiByte 8551->8553 8551->8558 8552 407e7c __calloc_crt 67 API calls 8552->8553 8553->8551 8553->8552 8554 40d9ad WideCharToMultiByte 8553->8554 8553->8558 8559 407d41 __freea 67 API calls 8553->8559 8563 40e407 8553->8563 8554->8553 8555 40d9f5 8554->8555 8556 407d41 __freea 67 API calls 8555->8556 8556->8558 8558->8545 8559->8553 8629 40d861 8560->8629 8564 40e439 8563->8564 8565 40e41c 8563->8565 8567 40e497 8564->8567 8609 40e7af 8564->8609 8566 4046bf __toupper_l 67 API calls 8565->8566 8568 40e421 8566->8568 8569 4046bf __toupper_l 67 API calls 8567->8569 8571 405f86 __strnicoll_l 6 API calls 8568->8571 8572 40e431 8569->8572 8571->8572 8572->8553 8574 40e478 8576 40e4aa 8574->8576 8577 40e4d5 8574->8577 8578 40e48e 8574->8578 8576->8572 8582 407e37 __malloc_crt 67 API calls 8576->8582 8577->8572 8620 40e35b 8577->8620 8580 40d969 ___wtomb_environ 120 API calls 8578->8580 8583 40e493 8580->8583 8587 40e4ba 8582->8587 8583->8567 8583->8577 8584 40e552 8585 40e63d 8584->8585 8591 40e55b 8584->8591 8588 407d41 __freea 67 API calls 8585->8588 8586 40e504 8589 407d41 __freea 67 API calls 8586->8589 8587->8572 8587->8577 8590 407e37 __malloc_crt 67 API calls 8587->8590 8588->8572 8594 40e50e 8589->8594 8590->8577 8591->8572 8592 407f16 __recalloc_crt 74 API calls 8591->8592 8595 40e514 _strlen 8592->8595 8593 40e621 8593->8572 8597 407d41 __freea 67 API calls 8593->8597 8594->8595 8624 407f16 8594->8624 8595->8572 8595->8593 8598 407e7c __calloc_crt 67 API calls 8595->8598 8597->8572 8599 40e5be _strlen 8598->8599 8599->8593 8600 407dcf _strcpy_s 67 API calls 8599->8600 8601 40e5d7 8600->8601 8602 40e5eb SetEnvironmentVariableA 8601->8602 8603 405e5e __invoke_watson 10 API calls 8601->8603 8604 40e615 8602->8604 8605 40e60c 8602->8605 8608 40e5e8 8603->8608 8607 407d41 __freea 67 API calls 8604->8607 8606 4046bf __toupper_l 67 API calls 8605->8606 8606->8604 8607->8593 8608->8602 8610 40e6f3 __mbschr_l 77 API calls 8609->8610 8611 40e44c 8610->8611 8611->8567 8611->8574 8612 40e3ad 8611->8612 8613 40e3fe 8612->8613 8614 40e3be 8612->8614 8613->8574 8615 407e7c __calloc_crt 67 API calls 8614->8615 8616 40e3d5 8615->8616 8617 40e3e7 8616->8617 8618 40592c __amsg_exit 67 API calls 8616->8618 8617->8613 8619 40e69e __strdup 67 API calls 8617->8619 8618->8617 8619->8617 8623 40e369 8620->8623 8621 40e390 8621->8584 8621->8586 8622 40d94f __fassign 111 API calls 8622->8623 8623->8621 8623->8622 8628 407f1f 8624->8628 8625 40bd39 __recalloc 73 API calls 8625->8628 8626 407f62 8626->8595 8627 407f43 Sleep 8627->8628 8628->8625 8628->8626 8628->8627 8630 401589 __toupper_l 77 API calls 8629->8630 8631 40d875 8630->8631 8632 40d896 8631->8632 8633 40d8c9 8631->8633 8646 40d87e 8631->8646 8634 4046bf __toupper_l 67 API calls 8632->8634 8635 40d8d3 8633->8635 8636 40d8ed 8633->8636 8637 40d89b 8634->8637 8639 4046bf __toupper_l 67 API calls 8635->8639 8640 40d8f5 8636->8640 8641 40d909 8636->8641 8638 405f86 __strnicoll_l 6 API calls 8637->8638 8638->8646 8643 40d8d8 8639->8643 8647 40e261 8640->8647 8667 40e21f 8641->8667 8645 405f86 __strnicoll_l 6 API calls 8643->8645 8645->8646 8646->8545 8648 401589 __toupper_l 77 API calls 8647->8648 8649 40e275 8648->8649 8650 40e296 8649->8650 8651 40e2c9 8649->8651 8663 40e27e 8649->8663 8652 4046bf __toupper_l 67 API calls 8650->8652 8653 40e2d3 8651->8653 8654 40e2ed 8651->8654 8655 40e29b 8652->8655 8656 4046bf __toupper_l 67 API calls 8653->8656 8657 40e2f7 8654->8657 8658 40e30c 8654->8658 8659 405f86 __strnicoll_l 6 API calls 8655->8659 8660 40e2d8 8656->8660 8661 40cdb6 __strnicmp_l 102 API calls 8657->8661 8662 40e21f ___crtCompareStringA 100 API calls 8658->8662 8659->8663 8664 405f86 __strnicoll_l 6 API calls 8660->8664 8661->8663 8665 40e326 8662->8665 8663->8646 8664->8663 8665->8663 8666 4046bf __toupper_l 67 API calls 8665->8666 8666->8663 8668 401589 __toupper_l 77 API calls 8667->8668 8669 40e232 8668->8669 8670 40deaf __crtCompareStringA_stat 100 API calls 8669->8670 8671 40e24f 8670->8671 8671->8646 8672->8549 8673->8535 8675 408365 __get_daylight 67 API calls 8674->8675 8676 4089af 8675->8676 8677 4089be 8676->8677 8678 405e5e __invoke_watson 10 API calls 8676->8678 8679 4089f4 8677->8679 8680 408aac 8677->8680 8681 4089c6 8677->8681 8678->8677 8691 4087a1 8679->8691 8682 4087a1 _cvtdate 67 API calls 8680->8682 8688 408bf7 8681->8688 8684 408ae5 8682->8684 8686 4087a1 _cvtdate 67 API calls 8684->8686 8686->8681 8687 4087a1 _cvtdate 67 API calls 8687->8681 8697 404b07 LeaveCriticalSection 8688->8697 8690 408bfe 8690->8467 8692 4087c1 8691->8692 8693 408914 8692->8693 8694 40839e __get_daylight 67 API calls 8692->8694 8693->8687 8695 40893d 8694->8695 8695->8693 8696 405e5e __invoke_watson 10 API calls 8695->8696 8696->8693 8697->8690 8699 401589 __toupper_l 77 API calls 8698->8699 8700 402468 8699->8700 8701 40249a 8700->8701 8702 40246f 8700->8702 8703 4024a2 8701->8703 8714 4024cd 8701->8714 8704 4046bf __toupper_l 67 API calls 8702->8704 8705 4046bf __toupper_l 67 API calls 8703->8705 8707 402474 8704->8707 8708 4024a7 8705->8708 8706 4025c2 8709 4046bf __toupper_l 67 API calls 8706->8709 8710 405f86 __strnicoll_l 6 API calls 8707->8710 8712 405f86 __strnicoll_l 6 API calls 8708->8712 8713 4025c7 8709->8713 8711 4010b8 8710->8711 8711->7358 8712->8711 8715 405f86 __strnicoll_l 6 API calls 8713->8715 8714->8706 8720 402578 8714->8720 8721 404708 8714->8721 8724 401c00 8714->8724 8715->8711 8716 4025a7 8718 4046bf __toupper_l 67 API calls 8716->8718 8718->8711 8720->8706 8720->8711 8720->8716 8722 401589 __toupper_l 77 API calls 8721->8722 8723 40471b 8722->8723 8723->8714 8725 401c19 8724->8725 8726 401dd6 8724->8726 8727 401da4 8725->8727 8734 401c1f 8725->8734 8728 401f18 8726->8728 8729 401dee 8726->8729 8730 401f2c 8726->8730 8737 401c28 8726->8737 8731 4046bf __toupper_l 67 API calls 8727->8731 8736 401c6c __tzset_nolock _store_num _store_str 8727->8736 8728->8730 8728->8734 8728->8737 8743 401d0f 8728->8743 8729->8737 8738 401e01 8729->8738 8739 401e5d 8729->8739 8732 408b70 __localtime64_s 124 API calls 8730->8732 8730->8736 8733 401dba 8731->8733 8732->8736 8740 405f86 __strnicoll_l 6 API calls 8733->8740 8734->8737 8734->8743 8735 4046bf __toupper_l 67 API calls 8735->8733 8736->8714 8737->8735 8737->8736 8738->8727 8738->8737 8744 401fe8 8739->8744 8740->8736 8741 401fe8 _store_winword 124 API calls 8741->8736 8743->8736 8743->8741 8746 402009 8744->8746 8745 40265d __setmbcp_nolock 5 API calls 8747 40212e 8745->8747 8748 401913 _malloc 67 API calls 8746->8748 8749 4020a8 __alloca_probe_16 8746->8749 8750 402130 8746->8750 8747->8743 8748->8749 8749->8750 8754 4020d6 8749->8754 8752 4021dc ___ascii_stricmp 8750->8752 8753 404708 77 API calls __isleadbyte_l 8750->8753 8757 402324 8750->8757 8760 40211a 8750->8760 8751 401c00 _expandtime 124 API calls 8751->8760 8752->8751 8753->8750 8755 401b45 __freea 67 API calls 8754->8755 8755->8760 8756 40238e 8756->8760 8761 404708 __isleadbyte_l 77 API calls 8756->8761 8757->8756 8758 402350 8757->8758 8759 404708 __isleadbyte_l 77 API calls 8758->8759 8759->8760 8760->8745 8761->8756 8763 408f4a __localtime64 67 API calls 8762->8763 8764 4028ba 8763->8764 8765 401134 8764->8765 8766 40266c __gmtime64_s 67 API calls 8764->8766 8765->8332 8766->8765 8768 403274 EnterCriticalSection 8767->8768 8769 40325e 8767->8769 8768->8340 8770 404be1 __lock 67 API calls 8769->8770 8771 403267 8770->8771 8771->8340 8810 409b56 8772->8810 8776 407048 __stbuf 8777 407095 8776->8777 8778 407e37 __malloc_crt 67 API calls 8776->8778 8777->8342 8778->8777 8780 401589 __toupper_l 77 API calls 8779->8780 8781 407210 8780->8781 8782 407214 8781->8782 8785 409b56 __fileno 67 API calls 8781->8785 8793 407255 __output_l __aulldvrm _strlen 8781->8793 8783 4046bf __toupper_l 67 API calls 8782->8783 8784 407219 8783->8784 8786 405f86 __strnicoll_l 6 API calls 8784->8786 8785->8793 8788 40722b 8786->8788 8787 407cf8 8789 407237 8787->8789 8788->8789 8790 40265d __setmbcp_nolock 5 API calls 8789->8790 8791 407d1e 8790->8791 8791->8344 8792 404708 __isleadbyte_l 77 API calls 8792->8793 8793->8782 8793->8787 8793->8792 8794 407103 101 API calls _write_string 8793->8794 8795 407d41 __freea 67 API calls 8793->8795 8796 407136 101 API calls _write_multi_char 8793->8796 8797 40b9e3 79 API calls __cftof 8793->8797 8798 407e37 __malloc_crt 67 API calls 8793->8798 8799 4075f9 8793->8799 8801 40715c 101 API calls _write_string 8793->8801 8794->8793 8795->8793 8796->8793 8797->8793 8798->8793 8799->8793 8800 403d71 6 API calls __decode_pointer 8799->8800 8800->8799 8801->8793 8803 401b04 8802->8803 8804 4070da 8802->8804 8806 401b1c 8803->8806 8804->8803 8825 409c27 8804->8825 8807 401b21 __stbuf 8806->8807 8967 4032bf 8807->8967 8809 401b2c 8809->8348 8811 409b65 8810->8811 8813 407042 8810->8813 8812 4046bf __toupper_l 67 API calls 8811->8812 8814 409b6a 8812->8814 8816 40b813 8813->8816 8815 405f86 __strnicoll_l 6 API calls 8814->8815 8815->8813 8817 40b820 8816->8817 8818 40b82f 8816->8818 8819 4046bf __toupper_l 67 API calls 8817->8819 8820 40b853 8818->8820 8821 4046bf __toupper_l 67 API calls 8818->8821 8822 40b825 8819->8822 8820->8776 8823 40b843 8821->8823 8822->8776 8824 405f86 __strnicoll_l 6 API calls 8823->8824 8824->8820 8826 409c40 8825->8826 8827 409c62 8825->8827 8826->8827 8828 409b56 __fileno 67 API calls 8826->8828 8827->8803 8829 409c5b 8828->8829 8831 40cabd 8829->8831 8832 40cac9 __commit 8831->8832 8833 40cad1 8832->8833 8834 40caec 8832->8834 8856 4046d2 8833->8856 8836 40cafa 8834->8836 8839 40cb3b 8834->8839 8838 4046d2 __commit 67 API calls 8836->8838 8841 40caff 8838->8841 8859 40dafd 8839->8859 8840 4046bf __toupper_l 67 API calls 8849 40cade __commit 8840->8849 8842 4046bf __toupper_l 67 API calls 8841->8842 8844 40cb06 8842->8844 8846 405f86 __strnicoll_l 6 API calls 8844->8846 8845 40cb41 8847 40cb64 8845->8847 8848 40cb4e 8845->8848 8846->8849 8851 4046bf __toupper_l 67 API calls 8847->8851 8869 40c38a 8848->8869 8849->8827 8853 40cb69 8851->8853 8852 40cb5c 8928 40cb8f 8852->8928 8854 4046d2 __commit 67 API calls 8853->8854 8854->8852 8857 403f44 __getptd_noexit 67 API calls 8856->8857 8858 4046d7 8857->8858 8858->8840 8861 40db09 __commit 8859->8861 8860 40db64 8862 40db86 __commit 8860->8862 8863 40db69 EnterCriticalSection 8860->8863 8861->8860 8864 404be1 __lock 67 API calls 8861->8864 8862->8845 8863->8862 8865 40db35 8864->8865 8866 40db4c 8865->8866 8867 40a734 ___lock_fhandle InitializeCriticalSectionAndSpinCount 8865->8867 8931 40db94 8866->8931 8867->8866 8870 40c399 __write_nolock 8869->8870 8871 40c3f2 8870->8871 8872 40c3cb 8870->8872 8900 40c3c0 8870->8900 8876 40c45a 8871->8876 8877 40c434 8871->8877 8873 4046d2 __commit 67 API calls 8872->8873 8875 40c3d0 8873->8875 8874 40265d __setmbcp_nolock 5 API calls 8878 40cabb 8874->8878 8880 4046bf __toupper_l 67 API calls 8875->8880 8879 40c46e 8876->8879 8935 40c1ec 8876->8935 8881 4046d2 __commit 67 API calls 8877->8881 8878->8852 8884 40b813 __stbuf 67 API calls 8879->8884 8883 40c3d7 8880->8883 8885 40c439 8881->8885 8886 405f86 __strnicoll_l 6 API calls 8883->8886 8887 40c479 8884->8887 8888 4046bf __toupper_l 67 API calls 8885->8888 8886->8900 8890 40c71f 8887->8890 8894 403fbd __getptd 67 API calls 8887->8894 8889 40c442 8888->8889 8891 405f86 __strnicoll_l 6 API calls 8889->8891 8892 40c9ee WriteFile 8890->8892 8893 40c72f 8890->8893 8891->8900 8895 40ca21 GetLastError 8892->8895 8921 40c701 8892->8921 8896 40c80d 8893->8896 8916 40c743 8893->8916 8897 40c494 GetConsoleMode 8894->8897 8895->8921 8907 40c8ed 8896->8907 8910 40c81c 8896->8910 8897->8890 8899 40c4bf 8897->8899 8898 40ca6c 8898->8900 8902 4046bf __toupper_l 67 API calls 8898->8902 8899->8890 8901 40c4d1 GetConsoleCP 8899->8901 8900->8874 8901->8921 8927 40c4f4 8901->8927 8905 40ca8f 8902->8905 8903 40ca3f 8908 40ca4a 8903->8908 8909 40ca5e 8903->8909 8904 40c7b1 WriteFile 8904->8895 8904->8916 8911 4046d2 __commit 67 API calls 8905->8911 8906 40c953 WideCharToMultiByte 8906->8895 8913 40c98a WriteFile 8906->8913 8907->8898 8907->8906 8907->8913 8907->8921 8912 4046bf __toupper_l 67 API calls 8908->8912 8948 4046e5 8909->8948 8910->8898 8914 40c891 WriteFile 8910->8914 8910->8921 8911->8900 8917 40ca4f 8912->8917 8913->8907 8918 40c9c1 GetLastError 8913->8918 8914->8895 8914->8910 8916->8898 8916->8904 8916->8921 8919 4046d2 __commit 67 API calls 8917->8919 8918->8907 8919->8900 8921->8898 8921->8900 8921->8903 8922 40c5a0 WideCharToMultiByte 8922->8921 8923 40c5d1 WriteFile 8922->8923 8923->8895 8923->8927 8924 40b7f9 79 API calls __fassign 8924->8927 8925 40dbc4 11 API calls __putwch_nolock 8925->8927 8926 40c625 WriteFile 8926->8895 8926->8927 8927->8895 8927->8921 8927->8922 8927->8924 8927->8925 8927->8926 8945 404740 8927->8945 8966 40db9d LeaveCriticalSection 8928->8966 8930 40cb97 8930->8849 8934 404b07 LeaveCriticalSection 8931->8934 8933 40db9b 8933->8860 8934->8933 8953 40da86 8935->8953 8937 40c20a 8938 40c212 8937->8938 8939 40c223 SetFilePointer 8937->8939 8940 4046bf __toupper_l 67 API calls 8938->8940 8941 40c23b GetLastError 8939->8941 8942 40c217 8939->8942 8940->8942 8941->8942 8943 40c245 8941->8943 8942->8879 8944 4046e5 __dosmaperr 67 API calls 8943->8944 8944->8942 8946 404708 __isleadbyte_l 77 API calls 8945->8946 8947 40474f 8946->8947 8947->8927 8949 4046d2 __commit 67 API calls 8948->8949 8950 4046f0 _realloc 8949->8950 8951 4046bf __toupper_l 67 API calls 8950->8951 8952 404703 8951->8952 8952->8900 8954 40da93 8953->8954 8955 40daab 8953->8955 8956 4046d2 __commit 67 API calls 8954->8956 8958 4046d2 __commit 67 API calls 8955->8958 8961 40daf0 8955->8961 8957 40da98 8956->8957 8959 4046bf __toupper_l 67 API calls 8957->8959 8960 40dad9 8958->8960 8962 40daa0 8959->8962 8963 4046bf __toupper_l 67 API calls 8960->8963 8961->8937 8962->8937 8964 40dae0 8963->8964 8965 405f86 __strnicoll_l 6 API calls 8964->8965 8965->8961 8966->8930 8968 4032e2 LeaveCriticalSection 8967->8968 8969 4032cf 8967->8969 8968->8809 8972 404b07 LeaveCriticalSection 8969->8972 8971 4032df 8971->8809 8972->8971 8974 4019e9 __commit 8973->8974 8975 401a14 __stbuf 8974->8975 8976 4019f7 8974->8976 8980 403251 _printf 68 API calls 8975->8980 8977 4046bf __toupper_l 67 API calls 8976->8977 8978 4019fc 8977->8978 8979 405f86 __strnicoll_l 6 API calls 8978->8979 8981 401a0c __commit 8979->8981 8982 401a20 __stbuf 8980->8982 8981->8351 8984 401a54 8982->8984 8985 401a59 __stbuf 8984->8985 8986 4032bf _printf 2 API calls 8985->8986 8987 401a60 8986->8987 8987->8981 8989 401589 __toupper_l 77 API calls 8988->8989 8990 401765 8989->8990 8991 401770 8990->8991 8992 4017c4 8990->8992 8998 401788 8991->8998 9000 404753 8991->9000 8993 4017e9 8992->8993 8994 404708 __isleadbyte_l 77 API calls 8992->8994 8995 4046bf __toupper_l 67 API calls 8993->8995 8997 4017ef 8993->8997 8994->8993 8995->8997 8999 404638 ___crtLCMapStringA 102 API calls 8997->8999 8998->8354 8999->8998 9001 401589 __toupper_l 77 API calls 9000->9001 9002 404767 9001->9002 9003 404708 __isleadbyte_l 77 API calls 9002->9003 9006 404774 9002->9006 9004 40479c 9003->9004 9005 409f74 ___crtGetStringTypeA 91 API calls 9004->9005 9005->9006 9006->8998 9008 401589 __toupper_l 77 API calls 9007->9008 9009 401625 9008->9009 9010 401631 9009->9010 9011 401685 9009->9011 9012 401649 9010->9012 9015 404753 __isctype_l 91 API calls 9010->9015 9013 4016aa 9011->9013 9016 404708 __isleadbyte_l 77 API calls 9011->9016 9012->8358 9014 4046bf __toupper_l 67 API calls 9013->9014 9017 4016b0 9013->9017 9014->9017 9015->9012 9016->9013 9018 404638 ___crtLCMapStringA 102 API calls 9017->9018 9018->9012 9020 403039 __commit 9019->9020 9021 40306c 9020->9021 9022 40304c 9020->9022 9038 403210 9021->9038 9024 4046bf __toupper_l 67 API calls 9022->9024 9026 403051 9024->9026 9028 405f86 __strnicoll_l 6 API calls 9026->9028 9027 4030ec 9030 4030fd 9027->9030 9044 4099f2 9027->9044 9033 403061 __commit 9028->9033 9029 409b56 __fileno 67 API calls 9035 403082 9029->9035 9065 403131 9030->9065 9033->8363 9034 4046bf __toupper_l 67 API calls 9036 4030dc 9034->9036 9035->9027 9035->9034 9037 405f86 __strnicoll_l 6 API calls 9036->9037 9037->9027 9039 403222 9038->9039 9040 403244 EnterCriticalSection 9038->9040 9039->9040 9042 40322a 9039->9042 9041 403072 9040->9041 9041->9027 9041->9029 9043 404be1 __lock 67 API calls 9042->9043 9043->9041 9045 409b56 __fileno 67 API calls 9044->9045 9046 409a02 9045->9046 9047 409a24 9046->9047 9048 409a0d 9046->9048 9049 409a28 9047->9049 9059 409a35 __stbuf 9047->9059 9050 4046bf __toupper_l 67 API calls 9048->9050 9051 4046bf __toupper_l 67 API calls 9049->9051 9058 409a12 9050->9058 9051->9058 9052 409a96 9053 409b25 9052->9053 9054 409aa5 9052->9054 9055 40cabd __locking 101 API calls 9053->9055 9056 409abc 9054->9056 9061 409ad9 9054->9061 9055->9058 9057 40cabd __locking 101 API calls 9056->9057 9057->9058 9058->9030 9059->9052 9059->9058 9060 40b813 __stbuf 67 API calls 9059->9060 9062 409a8b 9059->9062 9060->9062 9061->9058 9071 40c271 9061->9071 9062->9052 9068 40cb99 9062->9068 9107 403283 9065->9107 9067 403137 9067->9033 9069 407e37 __malloc_crt 67 API calls 9068->9069 9070 40cbae 9069->9070 9070->9052 9072 40c27d __commit 9071->9072 9073 40c2aa 9072->9073 9074 40c28e 9072->9074 9076 40c2b8 9073->9076 9078 40c2d9 9073->9078 9075 4046d2 __commit 67 API calls 9074->9075 9077 40c293 9075->9077 9079 4046d2 __commit 67 API calls 9076->9079 9082 4046bf __toupper_l 67 API calls 9077->9082 9080 40c2f9 9078->9080 9081 40c31f 9078->9081 9083 40c2bd 9079->9083 9084 4046d2 __commit 67 API calls 9080->9084 9085 40dafd ___lock_fhandle 68 API calls 9081->9085 9096 40c29b __commit 9082->9096 9086 4046bf __toupper_l 67 API calls 9083->9086 9087 40c2fe 9084->9087 9088 40c325 9085->9088 9089 40c2c4 9086->9089 9091 4046bf __toupper_l 67 API calls 9087->9091 9092 40c332 9088->9092 9093 40c34e 9088->9093 9090 405f86 __strnicoll_l 6 API calls 9089->9090 9090->9096 9095 40c305 9091->9095 9097 40c1ec __lseeki64_nolock 69 API calls 9092->9097 9094 4046bf __toupper_l 67 API calls 9093->9094 9098 40c353 9094->9098 9099 405f86 __strnicoll_l 6 API calls 9095->9099 9096->9058 9100 40c343 9097->9100 9101 4046d2 __commit 67 API calls 9098->9101 9099->9096 9103 40c380 9100->9103 9101->9100 9106 40db9d LeaveCriticalSection 9103->9106 9105 40c388 9105->9096 9106->9105 9108 4032b3 LeaveCriticalSection 9107->9108 9109 403294 9107->9109 9108->9067 9109->9108 9110 40329b 9109->9110 9113 404b07 LeaveCriticalSection 9110->9113 9112 4032b0 9112->9067 9113->9112 9117 402bb5 9114->9117 9118 402bcd 9117->9118 9125 402bef __gmtime64_s __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 9117->9125 9119 4046bf __toupper_l 67 API calls 9118->9119 9121 402bd2 9119->9121 9120 402e30 9122 4046bf __toupper_l 67 API calls 9120->9122 9124 40152c 9120->9124 9123 405f86 __strnicoll_l 6 API calls 9121->9123 9122->9124 9123->9124 9124->7380 9125->9120 9126 402e32 9125->9126 9127 402db3 9125->9127 9129 40266c __gmtime64_s 67 API calls 9126->9129 9128 408b70 __localtime64_s 124 API calls 9127->9128 9130 402db8 9128->9130 9129->9120 9131 40839e __get_daylight 67 API calls 9130->9131 9132 402dc1 9131->9132 9133 402dd0 9132->9133 9134 405e5e __invoke_watson 10 API calls 9132->9134 9135 4083d7 __get_daylight 67 API calls 9133->9135 9134->9133 9136 402ddc 9135->9136 9137 402deb 9136->9137 9138 405e5e __invoke_watson 10 API calls 9136->9138 9139 4028d6 __localtime64_s 124 API calls 9137->9139 9138->9137 9140 402e05 9139->9140 9140->9120 9140->9124 9141 4028d6 __localtime64_s 124 API calls 9140->9141 9141->9120 9143 405a7c __commit 9142->9143 9144 404be1 __lock 67 API calls 9143->9144 9145 405a83 9144->9145 9147 403d71 __decode_pointer 6 API calls 9145->9147 9151 405b3c __initterm 9145->9151 9149 405aba 9147->9149 9149->9151 9153 403d71 __decode_pointer 6 API calls 9149->9153 9150 405b84 __commit 9150->7399 9159 405b87 9151->9159 9157 405acf 9153->9157 9154 405b7b 9155 405980 __mtinitlocknum 3 API calls 9154->9155 9155->9150 9156 403d68 6 API calls ___crtMessageBoxW 9156->9157 9157->9151 9157->9156 9158 403d71 6 API calls __decode_pointer 9157->9158 9158->9157 9160 405b68 9159->9160 9161 405b8d 9159->9161 9160->9150 9163 404b07 LeaveCriticalSection 9160->9163 9164 404b07 LeaveCriticalSection 9161->9164 9163->9154 9164->9160

                                                  Executed Functions

                                                  Function 00450000 Relevance: 333.2, APIs: 7, Strings: 183, Instructions: 695processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 450000-450065 GetPEB 1 450067-450068 0->1 2 4500c3-450683 GetPEB 0->2 3 45006a-450082 1->3 10 450685-450688 2->10 11 4506a4-450703 2->11 4 450084-45008a 3->4 5 4500bf-4500c1 3->5 4->5 7 45008c-450092 4->7 5->2 5->3 7->5 8 450094-4500bd 7->8 8->2 12 45068e-4506a2 10->12 13 450793-45080d 11->13 14 450709-450717 11->14 12->11 12->12 15 450813-450821 13->15 16 4508d9-450c3b CreateToolhelp32Snapshot 13->16 14->13 17 450719-450727 14->17 15->16 19 450827-450835 15->19 42 450c47-450c57 Process32First 16->42 43 450c3d 16->43 17->13 18 450729-450737 17->18 18->13 20 450739-450747 18->20 19->16 22 45083b-450849 19->22 20->13 23 450749-450757 20->23 22->16 24 45084f-45085d 22->24 23->13 25 450759-450767 23->25 24->16 27 45085f-45086d 24->27 25->13 28 450769-450777 25->28 27->16 29 45086f-45087d 27->29 28->13 30 450779-450787 28->30 29->16 32 45087f-45088d 29->32 30->13 33 450789 30->33 32->16 34 45088f-45089d 32->34 33->13 34->16 35 45089f-4508ad 34->35 35->16 37 4508af-4508bd 35->37 37->16 38 4508bf-4508cd 37->38 38->16 40 4508cf 38->40 40->16 44 450c9f-450cb2 FindCloseChangeNotification CreateToolhelp32Snapshot 42->44 45 450c59-450c65 42->45 43->42 48 450cb4 44->48 49 450cbe-450cce Process32First 44->49 46 450c67-450c72 45->46 47 450c8d-450c9d Process32Next 45->47 50 450c78-450c7f 46->50 47->44 47->45 48->49 51 450d16-450d26 FindCloseChangeNotification 49->51 52 450cd0-450cdc 49->52 50->50 55 450c81-450c87 50->55 53 450db4-450dc0 51->53 54 450d2c-450d38 51->54 56 450d04-450d14 52->56 57 450cde-450ce9 52->57 60 450dc2-450dce 53->60 61 450e2e-450e4d 53->61 54->53 58 450d3a-450d46 54->58 55->47 56->51 56->52 59 450cef-450cf6 57->59 58->53 63 450d48-450d54 58->63 59->59 66 450cf8-450cfe 59->66 60->61 67 450dd0-450ddc 60->67 64 450e4f-450e56 61->64 65 450e6a 61->65 63->53 69 450d56-450d62 63->69 64->65 70 450e58-450e5f 64->70 71 450e71-450e74 65->71 66->56 67->61 68 450dde-450dea 67->68 68->61 72 450dec-450df8 68->72 69->53 73 450d64-450d70 69->73 70->65 74 450e61-450e68 70->74 75 450e79 71->75 72->61 76 450dfa-450e06 72->76 73->53 77 450d72-450d7e 73->77 74->65 78 450e94 call 450e99 74->78 79 450e7e-450e83 75->79 76->61 81 450e08-450e14 76->81 77->53 82 450d80-450d8c 77->82 79->79 83 450e85-450e86 79->83 81->61 84 450e16-450e22 81->84 82->53 85 450d8e-450d9a 82->85 83->75 86 450e88-450e92 83->86 84->61 87 450e24 84->87 85->53 88 450d9c-450da8 85->88 86->71 86->78 87->61 88->53 89 450daa 88->89 89->53
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00450C30
                                                  • Process32First.KERNEL32(00000000,?), ref: 00450C4F
                                                  • Process32Next.KERNEL32(00000000,?), ref: 00450C95
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00450CA0
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00450CA7
                                                  • Process32First.KERNEL32(00000000,?), ref: 00450CC6
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00450D17
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1952013511.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_450000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process32$ChangeCloseCreateFindFirstNotificationSnapshotToolhelp32$Next
                                                  • String ID: .$.$A$A$A$A$C$C$C$C\.x$C\EFee$CloseHandle$CreateToolhelp32Snapshot$E$E$F$G$G$G$GPA$GetCurrentProcessId$H$L.x$LoadLibraryA$M$M$M$N$O$P$P$P$Process32First$Process32Next$R$S$S$SL.x$T$T$T$U$V$V$VirtualAlloc$W$Z$\.x$a$a$a$a$a$a$a$a$c$c$c$c$c$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$h$h$h$i$i$i$i$i$i$l$l$l$l$l$l$l$l$l$m$m$m$m$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$p$perl.exe$python.exe$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$w$w$x$x$x$x$x$x$y
                                                  • API String ID: 1823789981-2117350679
                                                  • Opcode ID: 432e35f53d38935765511b0fbe434f2fa82f526ec8221e778a266a607cea303c
                                                  • Instruction ID: 3f484fcce8adac80f2dd1172fa0f2304118d84bd07716e270cfcc2b0df66e78d
                                                  • Opcode Fuzzy Hash: 432e35f53d38935765511b0fbe434f2fa82f526ec8221e778a266a607cea303c
                                                  • Instruction Fuzzy Hash: 9D92EE24D082E9C9EB22D76888187DDBFB15F12709F4841D9C49C6A282C7BA1FD9CF75
                                                  Function 00450E99 Relevance: 44.1, APIs: 11, Strings: 14, Instructions: 329memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 90 450e99-450eb9 91 450ebb-450ecc 90->91 91->91 92 450ece-450ed6 91->92 92->91 93 450ed8-450ee3 92->93 93->91 94 450ee5-450ef2 93->94 94->91 95 450ef4-450f21 VirtualAlloc 94->95 96 450f23-450f24 95->96 97 450f26-450f2b call 450f98 96->97 97->96 100 450f2d-450f34 call 450f98 97->100 103 450f36-450f3d call 450f98 100->103 104 450f52-450f59 call 450fa4 100->104 109 450f62-450f65 103->109 110 450f3f-450f42 103->110 111 450f6b-450f7b call 450fa2 104->111 112 450f5b-450f60 call 450fa2 104->112 113 450fb4-45103b 109->113 114 450f67-450f69 109->114 116 450f44-450f4b call 450f98 110->116 119 450f87 111->119 123 450f7d-450f80 111->123 122 450f8a-450f8c 112->122 127 451054-451068 113->127 128 45103d-45103e 113->128 114->119 130 450f4d 116->130 125 450f88 119->125 132 450f8e-450f96 122->132 123->125 129 450f82-450f85 123->129 131 450f89 125->131 134 45128e-451294 127->134 135 45106e-451083 127->135 133 451040-451052 128->133 129->119 129->131 130->132 136 450f4f-450f50 130->136 131->122 132->97 133->127 133->133 135->134 137 451089-45108f 135->137 136->97 138 451094-45109c 137->138 138->138 139 45109e-4511d9 CreateProcessA NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory 138->139 154 451226-45128b Wow64GetThreadContext WriteProcessMemory Wow64SetThreadContext ResumeThread ExitProcess 139->154 155 4511db-4511dc 139->155 156 4511de-451224 WriteProcessMemory 155->156 156->154 156->156
                                                  APIs
                                                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00450F11
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1952013511.0000000000450000.00000040.00001000.00020000.00000000.sdmp, Offset: 00450000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_450000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: $%^&$CreateProcessA$D$ExitProcess$GetCommandLineA$GetModuleFileNameA$GetModuleHandleA$GetThreadContext$ResumeThread$SetThreadContext$VirtualAllocEx$WriteProcessMemory$ZwUnmapViewOfSection$ntdll
                                                  • API String ID: 4275171209-2101018042
                                                  • Opcode ID: 9fe747179fd92530bdc122f1d949c66d254e8853cb94c13f27415c2bfa8eeda8
                                                  • Instruction ID: 722bbce32e77a1ab4285947872b17978d6e0fb98ba0663573064efd4c053504a
                                                  • Opcode Fuzzy Hash: 9fe747179fd92530bdc122f1d949c66d254e8853cb94c13f27415c2bfa8eeda8
                                                  • Instruction Fuzzy Hash: 12D14DB2E042599FDF60CBA8CC88BDEBBB8AF09301F1441D5E649E7241D7749A85CF64
                                                  Function 00401000 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 267COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 157 401000-401181 call 40260c call 401540 call 401500 call 4025ed call 401540 * 2 call 4014e0 call 401a80 call 401a63 call 401913 177 401186-4011a2 157->177 178 4011a8-4011b2 177->178 179 401239 177->179 180 4011c3-4011cc 178->180 181 401243-40125c call 401540 179->181 183 4011ed-4011f7 180->183 184 4011ce-4011eb 180->184 188 40126d-401274 181->188 187 401208-401211 183->187 184->180 187->179 189 401213-401237 call 401a80 187->189 190 401343-4013c5 call 401540 call 4018b9 call 401893 188->190 191 40127a-401284 188->191 189->187 213 4013d6-4013dd 190->213 194 401295-40129c 191->194 197 4012b1-4012c5 194->197 198 40129e-4012af 194->198 202 4012d6-4012dd 197->202 198->194 204 40133e 202->204 205 4012df-4012ed 202->205 204->188 208 40133c 205->208 209 4012ef-4012fd 205->209 208->202 212 401311-401318 209->212 214 40131a-40132b 212->214 215 40132d-401336 212->215 217 401425-4014b3 call 401540 call 401500 call 401520 213->217 218 4013df-401423 call 401867 call 401a80 call 401725 call 401a80 call 40157e 213->218 214->212 215->208 217->181 232 4014b9-4014d2 call 40265d 217->232 218->213
                                                  APIs
                                                  • __time64.LIBCMT ref: 00401072
                                                    • Part of subcall function 0040260C: GetSystemTimeAsFileTime.KERNEL32(00401077,6F4E0000,6F4E0000,?,00401077,?), ref: 00402617
                                                    • Part of subcall function 0040260C: __aulldiv.LIBCMT ref: 00402637
                                                    • Part of subcall function 00401540: __time64.LIBCMT ref: 00401547
                                                    • Part of subcall function 00401500: __localtime64.LIBCMT ref: 00401507
                                                  • _strftime.LIBCMT ref: 004010B3
                                                    • Part of subcall function 004025ED: __Strftime_l.LIBCMT ref: 00402602
                                                    • Part of subcall function 004014E0: __localtime64.LIBCMT ref: 004014E7
                                                  • _printf.LIBCMT ref: 00401161
                                                  • _wscanf.LIBCMT ref: 00401172
                                                    • Part of subcall function 00401A63: _vscanf.LIBCMT ref: 00401A76
                                                  • _malloc.LIBCMT ref: 00401181
                                                    • Part of subcall function 00401913: __FF_MSGBANNER.LIBCMT ref: 00401936
                                                    • Part of subcall function 00401913: __NMSG_WRITE.LIBCMT ref: 0040193D
                                                    • Part of subcall function 00401913: RtlAllocateHeap.NTDLL(00000000,00401086,00000001,00000000,00000000,?,00407E48,00401095,00000001,00401095,?,00404B6B,00000018,00410868,0000000C,00404BFC), ref: 0040198A
                                                  • _printf.LIBCMT ref: 0040122F
                                                  • _printf.LIBCMT ref: 004013F4
                                                  • _printf.LIBCMT ref: 00401411
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: _printf$Time__localtime64__time64$AllocateFileHeapStrftime_lSystem__aulldiv_malloc_strftime_vscanf_wscanf
                                                  • String ID: (>A$Enter the size of the array$Now it's %I:%M%p.$]$array[ %i ] = %i$b$tolower=%#04x$toupper=%#04x
                                                  • API String ID: 670006484-2990831102
                                                  • Opcode ID: b2db1cf0d62a7a1df71767ceca434ca2336bc6bbaffef19ff7b211a6af719369
                                                  • Instruction ID: 4f2f6989c99f30ab030c173d7e0d8eae3c35c7fd25001cc8103bbdcba4aafd0f
                                                  • Opcode Fuzzy Hash: b2db1cf0d62a7a1df71767ceca434ca2336bc6bbaffef19ff7b211a6af719369
                                                  • Instruction Fuzzy Hash: 1DD14AB0D002289BDB24DF54DC85BDEB7B1AF55308F1481FAE409BB291D7785A88CF5A
                                                  Function 00408B70 Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 240 408b70-408b84 call 4056d8 243 408bb0-408bb5 call 40571d 240->243 244 408b86-408b97 call 404be1 240->244 249 408ba4-408bab call 408bb6 244->249 250 408b99 call 40845b 244->250 249->243 253 408b9e 250->253 253->249
                                                  APIs
                                                  • __lock.LIBCMT ref: 00408B88
                                                    • Part of subcall function 00404BE1: __mtinitlocknum.LIBCMT ref: 00404BF7
                                                    • Part of subcall function 00404BE1: __amsg_exit.LIBCMT ref: 00404C03
                                                    • Part of subcall function 00404BE1: EnterCriticalSection.KERNEL32(?,?,?,0040BA81,00000004,00410A30,0000000C,00407E92,00401095,?,00000000,00000000,00000000,?,00403F6F,00000001), ref: 00404C0B
                                                  • __tzset_nolock.LIBCMT ref: 00408B99
                                                    • Part of subcall function 0040845B: __lock.LIBCMT ref: 0040847D
                                                    • Part of subcall function 0040845B: __get_daylight.LIBCMT ref: 00408492
                                                    • Part of subcall function 0040845B: __invoke_watson.LIBCMT ref: 004084A1
                                                    • Part of subcall function 0040845B: __get_daylight.LIBCMT ref: 004084AD
                                                    • Part of subcall function 0040845B: __invoke_watson.LIBCMT ref: 004084BC
                                                    • Part of subcall function 0040845B: __get_daylight.LIBCMT ref: 004084C8
                                                    • Part of subcall function 0040845B: __invoke_watson.LIBCMT ref: 004084D7
                                                    • Part of subcall function 0040845B: ____lc_codepage_func.LIBCMT ref: 004084DF
                                                    • Part of subcall function 0040845B: __getenv_helper_nolock.LIBCMT ref: 00408501
                                                    • Part of subcall function 0040845B: _strlen.LIBCMT ref: 0040853F
                                                    • Part of subcall function 0040845B: __malloc_crt.LIBCMT ref: 00408546
                                                    • Part of subcall function 0040845B: _strlen.LIBCMT ref: 0040855C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __get_daylight__invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock
                                                  • String ID:
                                                  • API String ID: 4157481694-0
                                                  • Opcode ID: c7f31a1d4a058eae2b9e636cd5265e34a1be37d50d03c7947e5d46c2ca08a6d7
                                                  • Instruction ID: 324dde565b162ab01d3bdb5b066eb1cd2e32da2d57cf63b2d15619d91760b843
                                                  • Opcode Fuzzy Hash: c7f31a1d4a058eae2b9e636cd5265e34a1be37d50d03c7947e5d46c2ca08a6d7
                                                  • Instruction Fuzzy Hash: 83E08670441E10EAD621B7A65A0378D7531BBC4725F70417FB488351D3CDBC2A419A5D
                                                  Function 00407103 Relevance: 1.5, APIs: 1, Instructions: 23COMMONLIBRARYCODE
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 254 407103-407107 255 407109-40710d 254->255 256 40710f-407112 254->256 255->256 257 407133-407135 255->257 258 407114-40711d 256->258 259 40711f-407124 call 4099f2 256->259 260 40712b-40712e 258->260 262 407129-40712a 259->262 260->257 263 407130-407132 260->263 262->260
                                                  APIs
                                                  • __flsbuf.LIBCMT ref: 00407124
                                                    • Part of subcall function 004099F2: __fileno.LIBCMT ref: 004099FD
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __fileno__flsbuf
                                                  • String ID:
                                                  • API String ID: 3539722517-0
                                                  • Opcode ID: a7fd463d1462fdecfb02403b93696123d4dc31a10f65dcfac963927859753d76
                                                  • Instruction ID: 401a9f45719788e4c8eabb04499cbac46cb5b17e17a3d3055bd240d0f2ccddd3
                                                  • Opcode Fuzzy Hash: a7fd463d1462fdecfb02403b93696123d4dc31a10f65dcfac963927859753d76
                                                  • Instruction Fuzzy Hash: 3FE0DF7080C1508ECB250B24D0463317BA49F01729F3486EFD6A19D3E3C73EA443EA5A
                                                  Function 004058CC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 264 4058cc-4058ee HeapCreate 265 4058f0-4058f1 264->265 266 4058f2-4058fb 264->266
                                                  APIs
                                                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 004058E1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CreateHeap
                                                  • String ID:
                                                  • API String ID: 10892065-0
                                                  • Opcode ID: e4f5d108d405d295bc0002871e95bd394c44992bb00b28adc3b436614e4a0fe8
                                                  • Instruction ID: 6aaf9fe063add752b61b2aa980ab7dc932686663a6dbf25c46348cfceecdd98d
                                                  • Opcode Fuzzy Hash: e4f5d108d405d295bc0002871e95bd394c44992bb00b28adc3b436614e4a0fe8
                                                  • Instruction Fuzzy Hash: 02D05E36994744AEDB105F786C087A23BDCD784795F10C436B80DC6190E674D5909608
                                                  Function 00401500 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 267 401500-401510 call 402b8e
                                                  APIs
                                                  • __localtime64.LIBCMT ref: 00401507
                                                    • Part of subcall function 00402B8E: __localtime64_s.LIBCMT ref: 00402BA3
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __localtime64__localtime64_s
                                                  • String ID:
                                                  • API String ID: 2245452549-0
                                                  • Opcode ID: 860c7a24e3cb325a2e66dd30bbfd9e2908cca0795bbd3a5371069fd1c45ff796
                                                  • Instruction ID: 5e9cd907073b68deb71bc28f8ae21485e13a8c2f34ddf4d9bc98e50b54af7c5f
                                                  • Opcode Fuzzy Hash: 860c7a24e3cb325a2e66dd30bbfd9e2908cca0795bbd3a5371069fd1c45ff796
                                                  • Instruction Fuzzy Hash: 86B012B280030C13CD006ED9A8068C6339C4504528B040031BD0D57241E475F55081D6

                                                  Non-executed Functions

                                                  Function 0040265D Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • IsDebuggerPresent.KERNEL32 ref: 00408D93
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00408DA8
                                                  • UnhandledExceptionFilter.KERNEL32(0040FD40), ref: 00408DB3
                                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00408DCF
                                                  • TerminateProcess.KERNEL32(00000000), ref: 00408DD6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                  • String ID:
                                                  • API String ID: 2579439406-0
                                                  • Opcode ID: b011bbce0cb64f31c2483c54603d4609ea0e3b234c779fda99a2c00f9339126f
                                                  • Instruction ID: 1cbcf472d4f1c4e9bcc484c579d98ea6fcf0c0aff9e1f63b6844ea6ade5c710d
                                                  • Opcode Fuzzy Hash: b011bbce0cb64f31c2483c54603d4609ea0e3b234c779fda99a2c00f9339126f
                                                  • Instruction Fuzzy Hash: F721E0B4501B04EFD710DF24EA496C93BA1FB98315F90803AE90CDB6A1E7B459858F8D
                                                  Function 00409084 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00009042), ref: 00409089
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 35161e0d1356dbe8c274ba1c7004aa641c487930d54cd747692eaf1e5361c30c
                                                  • Instruction ID: 58db3f285ec8d5a89d099b5db9ebf943e05dd78541e1cca3a0f14ccd4e91b455
                                                  • Opcode Fuzzy Hash: 35161e0d1356dbe8c274ba1c7004aa641c487930d54cd747692eaf1e5361c30c
                                                  • Instruction Fuzzy Hash: 739002A435110146C61057745E0A61525945A5C60279104B57551E4497DA7844495519
                                                  Function 0040EA90 Relevance: .1, Instructions: 128COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c27e7594142597b4403d6c42a23221625ee789099d069965c3e0383fe78a3ba0
                                                  • Instruction ID: 2b5ade2ffd0ab162c1f9abc124a09311918403f509a5591ba902c42f857f0f66
                                                  • Opcode Fuzzy Hash: c27e7594142597b4403d6c42a23221625ee789099d069965c3e0383fe78a3ba0
                                                  • Instruction Fuzzy Hash: 9971D1B9A45701CFC368DF59FA909917BE2B788310314827ED809A7B74E7B26859CF4C
                                                  Function 0040EDE0 Relevance: .0, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8d9cf30f1c007843b6c70dff1b8e244de280319b0d04d27d3e420eb4201781f9
                                                  • Instruction ID: 17f9ac8a5f371fb2956361746fdea33a3a21c95aeec0e0710bc4068744d4bdee
                                                  • Opcode Fuzzy Hash: 8d9cf30f1c007843b6c70dff1b8e244de280319b0d04d27d3e420eb4201781f9
                                                  • Instruction Fuzzy Hash: BED0BCBD5652458FC324DF59FA8099577F5B388710B1481BED808A3BB4EB326846CF8C
                                                  Function 00403E5D Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00410818,0000000C,00403F98,00000000,00000000,?,?,00408F52,?,00402B99,?,?,0040150C,00401095), ref: 00403E6F
                                                  • __crt_waiting_on_module_handle.LIBCMT ref: 00403E7A
                                                    • Part of subcall function 004058FC: Sleep.KERNEL32(000003E8,00000000,?,00403DC0,KERNEL32.DLL,?,00403E0C,?,00403F5B,?,?,00408F52,?,00402B99), ref: 00405908
                                                    • Part of subcall function 004058FC: GetModuleHandleW.KERNEL32(00401095,?,00403DC0,KERNEL32.DLL,?,00403E0C,?,00403F5B,?,?,00408F52,?,00402B99,?,?,0040150C), ref: 00405911
                                                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00403EA3
                                                  • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00403EB3
                                                  • __lock.LIBCMT ref: 00403ED5
                                                  • InterlockedIncrement.KERNEL32(C0330000), ref: 00403EE2
                                                  • __lock.LIBCMT ref: 00403EF6
                                                  • ___addlocaleref.LIBCMT ref: 00403F14
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                  • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                  • API String ID: 1028249917-2843748187
                                                  • Opcode ID: 62c29ca30fe690be80b670c7550564bbb71577b0fe4611071b683c5b52d3fced
                                                  • Instruction ID: e6be2f35c84482997377226978fcafb28510314ce4477f0dc715efd663c8df43
                                                  • Opcode Fuzzy Hash: 62c29ca30fe690be80b670c7550564bbb71577b0fe4611071b683c5b52d3fced
                                                  • Instruction Fuzzy Hash: C0118171804701AED720AF6AD801B4ABBE4AF40314F20893FE499B76E1C778AA458F5C
                                                  Function 00403514 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 00403520
                                                    • Part of subcall function 00403FBD: __getptd_noexit.LIBCMT ref: 00403FC0
                                                    • Part of subcall function 00403FBD: __amsg_exit.LIBCMT ref: 00403FCD
                                                  • __amsg_exit.LIBCMT ref: 00403540
                                                  • __lock.LIBCMT ref: 00403550
                                                  • InterlockedDecrement.KERNEL32(?), ref: 0040356D
                                                  • InterlockedIncrement.KERNEL32(022A1690), ref: 00403598
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                  • String ID:
                                                  • API String ID: 4271482742-0
                                                  • Opcode ID: 5df685b2d4ff7844c5bd34b25d643d43be0901ae0d60343f199282d100477afd
                                                  • Instruction ID: 92f0e3b2e6ed95d94f9546428c73b7b5e2ba20927b2db2befe354ed71bbc3d31
                                                  • Opcode Fuzzy Hash: 5df685b2d4ff7844c5bd34b25d643d43be0901ae0d60343f199282d100477afd
                                                  • Instruction Fuzzy Hash: D5013C71D05A21BBC721AF669C4679A7A64AF04B26F10403BE804772E0C73C6F81DB9D
                                                  Function 00407D41 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __lock.LIBCMT ref: 00407D5F
                                                    • Part of subcall function 00404BE1: __mtinitlocknum.LIBCMT ref: 00404BF7
                                                    • Part of subcall function 00404BE1: __amsg_exit.LIBCMT ref: 00404C03
                                                    • Part of subcall function 00404BE1: EnterCriticalSection.KERNEL32(?,?,?,0040BA81,00000004,00410A30,0000000C,00407E92,00401095,?,00000000,00000000,00000000,?,00403F6F,00000001), ref: 00404C0B
                                                  • ___sbh_find_block.LIBCMT ref: 00407D6A
                                                  • ___sbh_free_block.LIBCMT ref: 00407D79
                                                  • HeapFree.KERNEL32(00000000,00401095,004108A8,0000000C,00404BC2,00000000,00410868,0000000C,00404BFC,00401095,?,?,0040BA81,00000004,00410A30,0000000C), ref: 00407DA9
                                                  • GetLastError.KERNEL32(?,0040BA81,00000004,00410A30,0000000C,00407E92,00401095,?,00000000,00000000,00000000,?,00403F6F,00000001,00000214), ref: 00407DBA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                  • String ID:
                                                  • API String ID: 2714421763-0
                                                  • Opcode ID: 39ea70232c63982910e9d136f7a399fd9e1dbce77d86a7b5998757ed287da0cd
                                                  • Instruction ID: 34b8cd3847168ab63b87538d20a3b3f1e4210f295e991ba16a71f8fb8ad5fbac
                                                  • Opcode Fuzzy Hash: 39ea70232c63982910e9d136f7a399fd9e1dbce77d86a7b5998757ed287da0cd
                                                  • Instruction Fuzzy Hash: 6C01A771C09602EADB247B719C06B6E3A649F80724F24453FF104B61D1DA3CB5808A5E
                                                  Function 00403C80 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  • __getptd.LIBCMT ref: 00403C8C
                                                    • Part of subcall function 00403FBD: __getptd_noexit.LIBCMT ref: 00403FC0
                                                    • Part of subcall function 00403FBD: __amsg_exit.LIBCMT ref: 00403FCD
                                                  • __getptd.LIBCMT ref: 00403CA3
                                                  • __amsg_exit.LIBCMT ref: 00403CB1
                                                  • __lock.LIBCMT ref: 00403CC1
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                  • String ID:
                                                  • API String ID: 3521780317-0
                                                  • Opcode ID: 353a360a9f99db0f986ccedb4980b580dba88be788f37290ad2022610b0ed0b3
                                                  • Instruction ID: a03166e23443d952c10434021af3fa9187dc3760f03370781f7eb4553242607c
                                                  • Opcode Fuzzy Hash: 353a360a9f99db0f986ccedb4980b580dba88be788f37290ad2022610b0ed0b3
                                                  • Instruction Fuzzy Hash: 4BF062729446009BE620BF65880274A7AA4AF40716F1045BFB450BB3D1CB7C6A458E5E
                                                  Function 00406039 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __fileno__getbuf
                                                  • String ID: 0<A
                                                  • API String ID: 2304796792-2835494011
                                                  • Opcode ID: a9229c7ff10de724c1e5643abb31d5551913095730d18a3f4f917c8bb872940b
                                                  • Instruction ID: 06f671f2107f40e245f7a18af2f9c8ff72ce3ff2496c22b9d65d013ef3bc46ee
                                                  • Opcode Fuzzy Hash: a9229c7ff10de724c1e5643abb31d5551913095730d18a3f4f917c8bb872940b
                                                  • Instruction Fuzzy Hash: 4731DD72100A048AD7355E29D85077737D0DF91374B248B3BD4BAE77E1D73E9842869E
                                                  Function 0040313F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1951811072.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.1951778878.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951848888.000000000040F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951886894.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000000.00000002.1951911725.0000000000417000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: __calloc_crt
                                                  • String ID: p/A
                                                  • API String ID: 3494438863-3094870057
                                                  • Opcode ID: ac4e5899ea419d60142fe140e0fc08832b1ff1ee1eb3086185fbb16b46d9d66c
                                                  • Instruction ID: f5dc5b0637e48e2814202b214ca522087a2bda774d57243db77a1596ffafc616
                                                  • Opcode Fuzzy Hash: ac4e5899ea419d60142fe140e0fc08832b1ff1ee1eb3086185fbb16b46d9d66c
                                                  • Instruction Fuzzy Hash: C511E73174861097E7144F2DBC506E23A9DAB89369B24423FF515EF3E4E738E982824C

                                                  Execution Graph

                                                  Execution Coverage:8.2%
                                                  Dynamic/Decrypted Code Coverage:24.2%
                                                  Signature Coverage:26.9%
                                                  Total number of Nodes:867
                                                  Total number of Limit Nodes:5
                                                  execution_graph 3000 40ac40 3001 40ac5c 3000->3001 3002 40ac9b SHGetFolderPathA 3001->3002 3014 40a9e0 GetTickCount 3002->3014 3004 40acc1 wsprintfA 3005 40a9e0 GetTickCount 3004->3005 3006 40acee wsprintfA CreateDirectoryA SetCurrentDirectoryA 3005->3006 3007 404c90 3006->3007 3008 40ad43 wsprintfA 3007->3008 3009 40ad7e 3008->3009 3016 40ac10 CoCreateGuid UuidToStringA lstrcpyA 3009->3016 3011 40ad8b 9 API calls 3012 40ae73 3011->3012 3013 40ae86 CreateProcessA ExitProcess 3012->3013 3015 40a9f9 3014->3015 3015->3004 3016->3011 3017 40af40 RegCreateKeyExA GetLastError 3018 40afa5 3017->3018 3019 40af78 RegSetValueExA RegCloseKey 3017->3019 3019->3018 3020 40aa40 RegCreateKeyExA 3021 40aa91 RegCloseKey 3020->3021 3022 40aaa5 3020->3022 3023 40ac02 3021->3023 3024 40aac7 RegQueryValueExA 3022->3024 3025 40ab10 3024->3025 3026 40aafc RegCloseKey 3024->3026 3027 40ab34 RegQueryValueExA 3025->3027 3026->3023 3028 40ab6b RegCloseKey 3027->3028 3029 40ab7f RegCloseKey 3027->3029 3028->3023 3030 40ab9f 3029->3030 3031 40abb5 SHGetFolderPathA wsprintfA SetCurrentDirectoryA 3030->3031 3031->3023 3032 40a240 lstrlenA 3035 40a310 3032->3035 3034 40a27d 3036 40a3be 3035->3036 3038 40a327 3035->3038 3037 40a5f5 CharLowerA CharLowerA 3036->3037 3036->3038 3037->3038 3038->3034 3039 40b540 RegOpenKeyExA 3040 40b5d5 3039->3040 3041 40b56b RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 3039->3041 3041->3040 3042 407f40 CreateFileA 3043 407f90 WriteFile lstrlenA WriteFile CloseHandle 3042->3043 3044 407f69 CloseHandle CreateFileA 3042->3044 3044->3043 3045 40b340 3046 404c90 3045->3046 3047 40b35c WideCharToMultiByte lstrlenA 3046->3047 3048 40b2d0 3 API calls 3047->3048 3049 40b3a3 3048->3049 3231 408200 3232 408221 3231->3232 3232->3232 3233 40826b StrCmpNIA 3232->3233 3234 40829f 3232->3234 3233->3234 3235 408285 3233->3235 3236 4082e0 PathRemoveArgsA PathFindFileNameA CreateToolhelp32Snapshot 3234->3236 3237 4082ad StrCmpNIA 3234->3237 3247 408c10 3235->3247 3239 408320 Process32First 3236->3239 3240 408295 3236->3240 3237->3236 3238 4082c6 3237->3238 3242 408c10 6 API calls 3238->3242 3243 408337 lstrcmpiA 3239->3243 3244 40839b CloseHandle 3239->3244 3242->3240 3245 408384 Process32Next 3243->3245 3246 40834f OpenProcess TerminateProcess CloseHandle 3243->3246 3244->3240 3245->3243 3245->3244 3246->3244 3248 408c20 HeapAlloc lstrcpyA lstrcpyA 3247->3248 3249 408c7f HeapAlloc lstrcpyA lstrcpyA 3247->3249 3250 408ce7 3248->3250 3249->3250 3250->3240 3662 40b0c0 SetLastError RegCreateKeyExA GetLastError 3663 40b101 RegDeleteValueA RegCloseKey 3662->3663 3664 40b11a 3662->3664 3663->3664 3775 409788 3784 409710 3775->3784 3776 4096d2 RegEnumValueA 3777 40994e RegCloseKey 3776->3777 3776->3784 3778 40995b 3777->3778 3779 4098b0 StrRChrA 3779->3784 3780 40a0c0 8 API calls 3780->3784 3781 409fe0 7 API calls 3781->3784 3782 409763 StrRChrA 3782->3784 3783 409960 3 API calls 3783->3784 3784->3776 3784->3779 3784->3780 3784->3781 3784->3782 3784->3783 3785 409a10 7 API calls 3784->3785 3786 409ba0 GetFileAttributesA 3784->3786 3787 409850 lstrlenA 3784->3787 3788 409874 lstrcatA DeleteFileA 3784->3788 3785->3784 3786->3784 3787->3784 3789 409ef0 4 API calls 3788->3789 3789->3784 3255 40440b 3256 40441a lstrlenA 3255->3256 3257 404a51 3256->3257 3258 404433 GetDriveTypeA 3256->3258 3259 404a4c 3258->3259 3260 40449c 3258->3260 3259->3259 3261 4044c2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 3260->3261 3262 40454a 3261->3262 3263 40452e CloseHandle DeleteFileA 3261->3263 3264 404562 GetVolumeInformationA 3262->3264 3263->3262 3265 404591 3264->3265 3289 4040d0 3265->3289 3268 4045fa lstrcmpA 3270 404991 FindNextFileA 3268->3270 3271 404616 3268->3271 3269 4049ad 6 API calls 3269->3259 3270->3268 3270->3269 3272 404679 lstrcpyA 3271->3272 3273 4046ab lstrlenA 3272->3273 3274 40469c 3273->3274 3274->3273 3275 4047a5 wsprintfA wsprintfA StrStrA 3274->3275 3282 404736 wsprintfA wsprintfA MoveFileA 3274->3282 3276 404801 SetFileAttributesA DeleteFileA 3275->3276 3277 40482a StrStrA 3275->3277 3276->3270 3278 404840 StrStrA 3277->3278 3279 404898 GetFileAttributesA 3277->3279 3278->3279 3280 404856 StrStrA 3278->3280 3281 4048cc SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 3279->3281 3287 4048b6 3279->3287 3280->3279 3283 40486c StrStrA 3280->3283 3281->3287 3282->3274 3283->3279 3285 404882 StrStrA 3283->3285 3284 404917 lstrlenA lstrlenA MultiByteToWideChar 3293 404140 GetVolumeInformationA 3284->3293 3285->3279 3285->3284 3287->3270 3287->3281 3287->3284 3288 404973 SetFileAttributesA SetFileAttributesA 3287->3288 3288->3270 3290 4040f1 3289->3290 3291 40412b lstrcatA wsprintfA FindFirstFileA 3290->3291 3292 404107 lstrlenA 3290->3292 3291->3268 3291->3269 3292->3290 3294 40417f 3293->3294 3295 4040d0 lstrlenA 3294->3295 3296 40418d LoadLibraryA GetProcAddress 3295->3296 3298 4041b1 3296->3298 3297 4041c0 3297->3287 3298->3297 3299 404242 wsprintfA 3298->3299 3300 40420f wsprintfA 3298->3300 3301 404273 SetFileAttributesW DeleteFileW 3299->3301 3300->3301 3303 404322 CreateFileW CoUninitialize 3301->3303 3303->3297 3305 407810 3306 407830 GetFileAttributesExA 3305->3306 3307 40782b 3305->3307 3308 407d90 LoadLibraryW 3306->3308 3309 40784e 3308->3309 3310 407877 GetEnvironmentVariableA lstrcatA CreateDirectoryA lstrcatA 3309->3310 3311 403e50 3310->3311 3312 4078dc SetFileAttributesA DeleteFileA CopyFileA RegOpenKeyA 3311->3312 3313 4079ab SetLastError CreateMutexA GetLastError 3312->3313 3314 40792f RegSetValueExA RegCloseKey 3312->3314 3315 4079d7 CreateThread 3313->3315 3316 4079cf ExitProcess 3313->3316 3314->3313 3330 404ef0 3315->3330 3340 405ed0 3315->3340 3319 4079f8 3320 404ef0 8 API calls 3319->3320 3321 407a05 3320->3321 3322 404ef0 8 API calls 3321->3322 3323 407a12 CreateThread 3322->3323 3324 404a60 2 API calls 3323->3324 3448 405730 3323->3448 3325 407a2f 3324->3325 3326 407a5b SHGetFolderPathA lstrcatA 3325->3326 3327 407a96 3326->3327 3328 407aa9 CreateProcessA 3327->3328 3329 405ad0 13 API calls 3328->3329 3329->3307 3331 404c90 3330->3331 3332 404f0c CreateToolhelp32Snapshot Process32First lstrcmpiA 3331->3332 3333 404f50 3332->3333 3334 404f5f lstrcmpiA 3332->3334 3336 40a090 2 API calls 3333->3336 3335 404f83 Process32Next 3334->3335 3339 404f5c 3334->3339 3335->3334 3338 404f9a CloseHandle 3335->3338 3336->3339 3337 40a090 2 API calls 3337->3339 3338->3319 3339->3334 3339->3335 3339->3337 3458 408bf0 3340->3458 3342 405ee9 3343 405efc SHGetFolderPathA lstrcatA SetCurrentDirectoryA 3342->3343 3465 405c20 FindFirstFileA 3343->3465 3347 405f47 3348 405f5a GetTempPathA SetCurrentDirectoryA 3347->3348 3349 405c20 15 API calls 3348->3349 3350 405f88 3349->3350 3351 405d10 5 API calls 3350->3351 3352 405f90 3351->3352 3478 405e90 GetSystemWindowsDirectoryA 3352->3478 3355 405c20 15 API calls 3356 406048 3355->3356 3357 405d10 5 API calls 3356->3357 3358 406050 SetCurrentDirectoryA StrRChrA lstrlenA 3357->3358 3359 40a9e0 GetTickCount 3358->3359 3360 40609d 8 API calls 3359->3360 3361 405c20 15 API calls 3360->3361 3362 406149 3361->3362 3363 405d10 5 API calls 3362->3363 3364 406151 SetCurrentDirectoryA StrRChrA lstrlenA 3363->3364 3365 40a9e0 GetTickCount 3364->3365 3366 40619e MoveFileA GetLastError wsprintfA 3365->3366 3367 404c90 3366->3367 3368 4061f0 SHGetFolderPathA lstrcatA SetCurrentDirectoryA 3367->3368 3369 405c20 15 API calls 3368->3369 3370 406233 3369->3370 3371 405d10 5 API calls 3370->3371 3372 40623b 3371->3372 3373 40624e GetTempPathA SetCurrentDirectoryA 3372->3373 3374 405c20 15 API calls 3373->3374 3375 40627c 3374->3375 3376 405d10 5 API calls 3375->3376 3377 406284 3376->3377 3378 406297 SHGetFolderPathA SetCurrentDirectoryA 3377->3378 3379 405c20 15 API calls 3378->3379 3380 4062c8 3379->3380 3381 405d10 5 API calls 3380->3381 3382 4062d0 3381->3382 3383 4062e3 GetTempPathA SetCurrentDirectoryA 3382->3383 3384 405c20 15 API calls 3383->3384 3385 406311 3384->3385 3386 405d10 5 API calls 3385->3386 3387 406319 3386->3387 3388 40632c GetTempPathA SetCurrentDirectoryA 3387->3388 3389 405c20 15 API calls 3388->3389 3390 40635a 3389->3390 3391 405d10 5 API calls 3390->3391 3392 406362 3391->3392 3393 406375 GetTempPathA lstrcatA SetCurrentDirectoryA 3392->3393 3394 405c20 15 API calls 3393->3394 3395 4063b5 3394->3395 3396 405d10 5 API calls 3395->3396 3397 4063bd 3396->3397 3398 4063d0 GetEnvironmentVariableA SetCurrentDirectoryA 3397->3398 3399 405c20 15 API calls 3398->3399 3400 406403 3399->3400 3401 405d10 5 API calls 3400->3401 3402 40640b 3401->3402 3403 40641e GetTempPathA SetCurrentDirectoryA 3402->3403 3404 405c20 15 API calls 3403->3404 3405 40644c 3404->3405 3406 405d10 5 API calls 3405->3406 3407 406454 3406->3407 3408 406467 SHGetFolderPathA SetCurrentDirectoryA 3407->3408 3409 405c20 15 API calls 3408->3409 3410 406498 3409->3410 3411 405d10 5 API calls 3410->3411 3412 4064a0 3411->3412 3413 4064b3 GetTempPathA SetCurrentDirectoryA 3412->3413 3414 405c20 15 API calls 3413->3414 3415 4064e1 3414->3415 3416 405d10 5 API calls 3415->3416 3417 4064e9 3416->3417 3418 4064fc SHGetFolderPathA SetCurrentDirectoryA 3417->3418 3419 405c20 15 API calls 3418->3419 3420 40652d 3419->3420 3421 405d10 5 API calls 3420->3421 3422 406535 3421->3422 3423 406548 GetTempPathA SetCurrentDirectoryA 3422->3423 3424 405c20 15 API calls 3423->3424 3425 406576 3424->3425 3426 405d10 5 API calls 3425->3426 3427 40657e 3426->3427 3428 406591 SHGetFolderPathA SetCurrentDirectoryA 3427->3428 3429 405c20 15 API calls 3428->3429 3430 4065c2 3429->3430 3431 405d10 5 API calls 3430->3431 3432 4065ca 3431->3432 3433 4065dd GetTempPathA SetCurrentDirectoryA 3432->3433 3434 405c20 15 API calls 3433->3434 3435 40660b 3434->3435 3436 405d10 5 API calls 3435->3436 3437 406613 3436->3437 3438 406626 SHGetFolderPathA SetCurrentDirectoryA 3437->3438 3439 405c20 15 API calls 3438->3439 3440 406657 3439->3440 3441 405d10 5 API calls 3440->3441 3442 40665f 3441->3442 3443 406672 GetTempPathA SetCurrentDirectoryA 3442->3443 3444 405c20 15 API calls 3443->3444 3445 4066a0 3444->3445 3446 405d10 5 API calls 3445->3446 3447 4066a8 3446->3447 3449 405743 3448->3449 3450 405771 10 API calls 3449->3450 3451 40582d 3450->3451 3573 404370 3451->3573 3454 405850 3455 405852 CreateWindowExA 3455->3454 3456 405883 GetMessageA 3455->3456 3456->3454 3457 405899 TranslateMessage DispatchMessageA 3456->3457 3457->3456 3480 408520 SHGetSpecialFolderPathA 3458->3480 3460 408bf8 3489 4088a0 SHGetSpecialFolderPathA wsprintfA 3460->3489 3464 408c02 3464->3342 3466 405c60 3465->3466 3467 405c5b 3465->3467 3468 405c6b SetFileAttributesA 3466->3468 3469 405cde FindNextFileA 3466->3469 3474 405d10 FindFirstFileA 3467->3474 3471 404ef0 8 API calls 3468->3471 3469->3466 3470 405cfa FindClose 3469->3470 3470->3467 3472 405c89 3471->3472 3473 405c9f lstrcpyA lstrcatA MoveFileExA 3472->3473 3473->3469 3475 405d3a 3474->3475 3476 405d3c SetFileAttributesA DeleteFileA FindNextFileA 3474->3476 3475->3347 3476->3476 3477 405d73 FindClose 3476->3477 3477->3475 3479 405eab wsprintfA lstrcatA SetFileAttributesA lstrcpyA SetCurrentDirectoryA 3478->3479 3479->3355 3481 40855f 3480->3481 3481->3481 3482 40873e CreateThread CreateThread CreateThread CreateThread 3481->3482 3504 407fe0 GetVersionExA 3482->3504 3523 4083c0 3482->3523 3487 408180 4 API calls 3488 40884b CreateThread CreateThread WaitForMultipleObjects 3487->3488 3488->3460 3512 408020 wsprintfA FindFirstFileA 3488->3512 3490 40a9e0 GetTickCount 3489->3490 3491 4088ed wsprintfA SetFileAttributesA MoveFileA 3490->3491 3492 408949 GetLastError 3491->3492 3493 4089cb 3491->3493 3492->3493 3494 408954 3492->3494 3496 4089d0 6 API calls 3493->3496 3495 408964 lstrlenA SHFileOperationA MoveFileA 3494->3495 3495->3493 3497 408bd9 FindClose 3496->3497 3500 408a6d 3496->3500 3497->3464 3498 408bbd FindNextFileA 3498->3497 3498->3500 3499 408abb CharLowerA 3499->3500 3500->3498 3500->3499 3501 40a9e0 GetTickCount 3500->3501 3502 408b44 wsprintfA wsprintfA MoveFileA 3501->3502 3502->3498 3503 408bad GetLastError 3502->3503 3503->3498 3503->3500 3505 408009 3504->3505 3506 408180 3505->3506 3507 4081a1 SHGetSpecialFolderPathA 3506->3507 3508 40818f SHGetSpecialFolderPathA 3506->3508 3509 4081c1 wsprintfA 3507->3509 3510 4081dc wsprintfA 3507->3510 3511 4081f5 3508->3511 3509->3511 3510->3511 3511->3487 3513 408069 3512->3513 3514 40816d FindClose 3512->3514 3515 408079 CreateToolhelp32Snapshot 3513->3515 3516 408154 FindNextFileA 3513->3516 3517 408127 wsprintfA DeleteFileA 3515->3517 3518 40809f Process32First 3515->3518 3516->3513 3516->3514 3517->3516 3519 4080b6 lstrcmpiA 3518->3519 3520 40811a CloseHandle 3518->3520 3521 408103 Process32Next 3519->3521 3522 4080ce OpenProcess TerminateProcess CloseHandle 3519->3522 3520->3517 3521->3519 3521->3520 3522->3520 3524 4083d7 3523->3524 3552 408e00 RegOpenKeyExA 3524->3552 3528 4083fc 3555 408e80 RegQueryInfoKeyA 3528->3555 3533 408e00 RegOpenKeyExA 3534 408453 PathFindFileNameA 3533->3534 3563 408e40 SHDeleteKeyA 3534->3563 3539 409010 RegCloseKey 3540 408485 3539->3540 3567 408db0 RegCreateKeyExA 3540->3567 3542 4084f0 3569 408d20 3542->3569 3543 4084ae lstrlenA 3544 40849f 3543->3544 3544->3542 3544->3543 3546 4084db RegSetValueExA 3544->3546 3546->3544 3548 408fe0 RegFlushKey 3549 408503 3548->3549 3550 409010 RegCloseKey 3549->3550 3551 40850b 3550->3551 3553 4083f1 3552->3553 3554 408cf0 GetProcessHeap 3553->3554 3554->3528 3557 408ef1 3555->3557 3558 408410 3555->3558 3556 408f25 RegEnumValueA 3556->3557 3556->3558 3557->3556 3557->3558 3559 409010 3558->3559 3560 409026 3559->3560 3562 408418 lstrcpyA PathRemoveFileSpecA 3559->3562 3561 40903a RegCloseKey 3560->3561 3560->3562 3561->3562 3562->3533 3564 408475 3563->3564 3565 408fe0 RegFlushKey 3564->3565 3566 40847d 3565->3566 3566->3539 3568 408deb 3567->3568 3568->3544 3570 408d29 3569->3570 3571 4084fb 3570->3571 3572 408d32 HeapFree 3570->3572 3571->3548 3572->3570 3574 4043b5 3573->3574 3575 4043cb SHGetFolderPathA wsprintfA 3574->3575 3576 40441a lstrlenA 3575->3576 3577 404a51 RegisterClassA 3576->3577 3578 404433 GetDriveTypeA 3576->3578 3577->3454 3577->3455 3579 404a4c 3578->3579 3580 40449c 3578->3580 3579->3579 3581 4044c2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 3580->3581 3582 40454a 3581->3582 3583 40452e CloseHandle DeleteFileA 3581->3583 3584 404562 GetVolumeInformationA 3582->3584 3583->3582 3585 404591 3584->3585 3586 4040d0 lstrlenA 3585->3586 3587 4045a2 lstrcatA wsprintfA FindFirstFileA 3586->3587 3588 4045fa lstrcmpA 3587->3588 3589 4049ad 6 API calls 3587->3589 3590 404991 FindNextFileA 3588->3590 3591 404616 3588->3591 3589->3579 3590->3588 3590->3589 3592 404679 lstrcpyA 3591->3592 3593 4046ab lstrlenA 3592->3593 3594 40469c 3593->3594 3594->3593 3595 4047a5 wsprintfA wsprintfA StrStrA 3594->3595 3602 404736 wsprintfA wsprintfA MoveFileA 3594->3602 3596 404801 SetFileAttributesA DeleteFileA 3595->3596 3597 40482a StrStrA 3595->3597 3596->3590 3598 404840 StrStrA 3597->3598 3599 404898 GetFileAttributesA 3597->3599 3598->3599 3600 404856 StrStrA 3598->3600 3601 4048cc SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 3599->3601 3607 4048b6 3599->3607 3600->3599 3603 40486c StrStrA 3600->3603 3601->3607 3602->3594 3603->3599 3605 404882 StrStrA 3603->3605 3604 404917 lstrlenA lstrlenA MultiByteToWideChar 3606 404140 10 API calls 3604->3606 3605->3599 3605->3604 3606->3607 3607->3590 3607->3601 3607->3604 3608 404973 SetFileAttributesA SetFileAttributesA 3607->3608 3608->3590 3050 406850 lstrlenA lstrcpyA 3051 406879 3050->3051 3609 407b10 3610 407d90 LoadLibraryW 3609->3610 3611 407b1e SetLastError CreateMutexA GetLastError 3610->3611 3612 407b42 ExitProcess 3611->3612 3613 407b4a 3611->3613 3614 407c51 3613->3614 3615 407b57 GetProcessVersion 3613->3615 3616 407c41 Sleep 3613->3616 3617 404a60 2 API calls 3613->3617 3618 407b9d SHGetFolderPathA lstrcatA 3613->3618 3619 407beb CreateProcessA 3613->3619 3615->3613 3615->3616 3616->3613 3617->3613 3618->3613 3620 405ad0 13 API calls 3619->3620 3620->3613 3621 40bd10 3622 40bdf4 SetLastError 3621->3622 3623 40bd27 lstrcmpA 3621->3623 3624 40be1a 3622->3624 3625 40bd64 lstrcmpA 3623->3625 3626 40bd3a lstrcmpA 3623->3626 3627 40bd8b 3625->3627 3628 40bd77 lstrcmpA 3625->3628 3626->3625 3629 40bd4d lstrcmpA 3626->3629 3630 40bdc5 lstrcpyA 3627->3630 3628->3627 3629->3622 3629->3625 3630->3622 3665 40aed0 3666 40b3b0 3 API calls 3665->3666 3667 40aeeb 3666->3667 3668 40af34 3667->3668 3669 40b2d0 3 API calls 3667->3669 3670 40af0f 3669->3670 3673 40a980 GetCurrentProcess OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges 3670->3673 3672 40af1c InitiateSystemShutdownExA 3672->3668 3673->3672 3674 40a1d0 3675 40a310 2 API calls 3674->3675 3676 40a208 3675->3676 3677 407dd0 3678 407dd9 3677->3678 3679 407de6 GetProcessVersion 3678->3679 3680 407f3a 3678->3680 3679->3678 3681 407dfb 3679->3681 3682 40b4f0 GetVersionExA 3681->3682 3683 407e4a 3682->3683 3684 407e4f 3683->3684 3687 407e9b 3683->3687 3685 40a860 2 API calls 3684->3685 3686 407e5b SHGetFolderPathW lstrcatW 3685->3686 3691 407ef4 CreateProcessW 3686->3691 3688 40a860 2 API calls 3687->3688 3690 407eb6 SHGetFolderPathW lstrcatW 3688->3690 3690->3691 3693 405ad0 13 API calls 3691->3693 3694 407f2a ExitProcess 3693->3694 3790 40b790 3791 40b7ce NetUserEnum 3790->3791 3792 40b7fa 3791->3792 3792->3791 3793 40b869 3792->3793 3794 40b82f 3792->3794 3797 40b6d0 AllocateAndInitializeSid 3792->3797 3793->3794 3795 40b86f NetApiBufferFree 3793->3795 3795->3794 3798 40b72f LookupAccountSidW 3797->3798 3799 40b72d 3797->3799 3800 40b759 3798->3800 3801 40b75d NetLocalGroupAddMembers 3798->3801 3799->3792 3802 40b779 FreeSid 3800->3802 3801->3802 3802->3799 3803 404d90 7 API calls 3804 404e3c 3803->3804 3805 404edf FindClose 3803->3805 3806 404ec3 FindNextFileA 3804->3806 3807 404e47 lstrcpyA lstrcatA 3804->3807 3806->3804 3806->3805 3813 404ce0 3807->3813 3809 404e74 StrStrA 3809->3806 3810 404e86 lstrcpyA 3809->3810 3811 404ce0 2 API calls 3810->3811 3812 404e9f lstrcatA MoveFileExA 3811->3812 3812->3806 3814 404cfd GetVolumeInformationA 3813->3814 3817 404cf3 3813->3817 3816 404d2e 3814->3816 3815 404d66 GetTickCount 3815->3817 3816->3815 3817->3809 3818 405d90 FindFirstFileA 3821 405dc5 3818->3821 3823 405dbe 3818->3823 3819 405dd8 CreateToolhelp32Snapshot Process32First lstrcmpiA 3820 405e25 lstrcmpiA 3819->3820 3819->3821 3820->3821 3822 405e43 Process32Next 3820->3822 3821->3819 3821->3823 3824 405e65 FindNextFileA 3821->3824 3822->3820 3822->3821 3824->3821 3824->3823 3695 40a3d8 3696 40a3ea 3695->3696 3697 40a559 3696->3697 3699 40a3f5 3696->3699 3700 40a47b 3696->3700 3698 40a5f5 CharLowerA CharLowerA 3697->3698 3697->3699 3698->3699 3700->3699 3701 40a310 2 API calls 3700->3701 3701->3700 3052 40b75b 3053 40b779 FreeSid 3052->3053 3054 40b783 3053->3054 3055 409060 3056 409083 3055->3056 3057 409096 GetModuleHandleA GetProcAddress 3056->3057 3105 40b4f0 3057->3105 3060 40a860 2 API calls 3061 4090c4 3060->3061 3062 4090dc GetWindowsDirectoryA lstrlenA 3061->3062 3109 40b5e0 AllocateAndInitializeSid 3061->3109 3064 409109 3062->3064 3068 4092e7 3062->3068 3114 40b260 SetLastError RegCreateKeyExA GetLastError 3064->3114 3077 409339 SHGetFolderPathA 3068->3077 3069 409292 3072 409660 35 API calls 3069->3072 3074 4092a1 3072->3074 3073 409660 35 API calls 3079 409145 3073->3079 3075 409660 35 API calls 3074->3075 3076 4092b3 3075->3076 3080 4092d2 3076->3080 3132 4095d0 SetLastError RegCreateKeyExA GetLastError 3076->3132 3078 409361 3077->3078 3135 40b3b0 RegOpenKeyExA 3078->3135 3085 40917e RegEnumKeyA 3079->3085 3082 4095d0 7 API calls 3080->3082 3084 4092df 3082->3084 3085->3069 3088 4091a4 lstrcpyA lstrcatA lstrcatA 3085->3088 3087 4093ae wsprintfA wsprintfA CreateDirectoryA 3090 40940f 3087->3090 3091 409660 35 API calls 3088->3091 3089 40a9e0 GetTickCount 3092 409393 3089->3092 3097 409425 6 API calls 3090->3097 3093 4091ed 3091->3093 3094 40b2d0 3 API calls 3092->3094 3095 409203 lstrcpyA lstrcatA lstrcatA 3093->3095 3096 4093ab 3094->3096 3098 409660 35 API calls 3095->3098 3096->3087 3140 40b1a0 SetLastError RegCreateKeyExA GetLastError 3097->3140 3098->3079 3101 4094e1 3102 4094f4 3101->3102 3144 409510 RegCreateKeyExA GetLastError 3101->3144 3104 409510 7 API calls 3102->3104 3104->3084 3106 404c90 3105->3106 3107 40b50c GetVersionExA 3106->3107 3108 4090ba 3107->3108 3108->3060 3110 40b62a CheckTokenMembership 3109->3110 3111 4090d7 3109->3111 3112 40b645 FreeSid 3110->3112 3113 40b63e 3110->3113 3111->3062 3112->3111 3113->3112 3115 40b2a4 RegDeleteValueA RegCloseKey 3114->3115 3116 40910e 3114->3116 3115->3116 3116->3069 3117 409660 RegOpenKeyExA 3116->3117 3118 409133 3117->3118 3129 40968a 3117->3129 3118->3073 3119 4096d2 RegEnumValueA 3120 40994e RegCloseKey 3119->3120 3119->3129 3120->3118 3121 4098b0 StrRChrA 3121->3129 3124 409763 StrRChrA 3124->3129 3128 409850 lstrlenA 3128->3129 3129->3119 3129->3121 3129->3124 3129->3128 3130 409874 lstrcatA DeleteFileA 3129->3130 3147 409960 3129->3147 3153 409a10 3129->3153 3161 409ba0 3129->3161 3173 40a0c0 3129->3173 3184 409fe0 SetFileAttributesA DeleteFileA 3129->3184 3165 409ef0 3130->3165 3133 409613 RegDeleteValueA RegDeleteValueA RegDeleteValueA RegDeleteValueA 3132->3133 3134 40964f 3132->3134 3133->3134 3134->3080 3136 40b3e2 RegQueryValueExA 3135->3136 3137 409377 3135->3137 3138 40b40e RegCloseKey 3136->3138 3137->3087 3137->3089 3138->3137 3141 4094b6 lstrcatA DeleteFileA 3140->3141 3142 40b1e4 3140->3142 3141->3101 3143 40b1f7 wsprintfA lstrlenA RegSetValueExA RegCloseKey 3142->3143 3143->3141 3145 4095bd 3144->3145 3146 40954f RegSetValueExA RegSetValueExA RegSetValueExA RegSetValueExA RegCloseKey 3144->3146 3145->3102 3146->3145 3148 40996b 3147->3148 3149 4099b6 3148->3149 3152 40999a 3148->3152 3189 40a180 lstrlenA 3148->3189 3151 40a180 3 API calls 3149->3151 3149->3152 3151->3149 3152->3129 3160 409a20 3153->3160 3154 409a77 3154->3129 3155 40a180 3 API calls 3155->3160 3157 40a180 3 API calls 3158 409adf 3157->3158 3158->3154 3158->3157 3159 409ce0 4 API calls 3158->3159 3159->3158 3160->3154 3160->3155 3160->3158 3192 409ce0 3160->3192 3162 409ca7 GetFileAttributesA 3161->3162 3164 409bb5 3161->3164 3163 409ca0 3162->3163 3163->3129 3164->3162 3164->3163 3166 404c90 3165->3166 3167 409f0c lstrlenA 3166->3167 3201 403e50 3167->3201 3170 409f69 3172 409f9b CreateProcessA 3170->3172 3171 409f4d lstrlenA 3171->3170 3172->3129 3174 404c90 3173->3174 3175 40a0dc CreateToolhelp32Snapshot Process32First lstrcmpiA 3174->3175 3176 40a120 3175->3176 3177 40a133 lstrcmpiA 3175->3177 3203 40a090 OpenProcess 3176->3203 3179 40a157 Process32Next 3177->3179 3180 40a148 3177->3180 3179->3177 3183 40a16e CloseHandle 3179->3183 3180->3179 3182 40a090 2 API calls 3180->3182 3182->3180 3183->3129 3185 40a072 RegDeleteValueA 3184->3185 3186 40a006 3184->3186 3185->3129 3187 40a019 lstrcpyA StrRChrA 3186->3187 3187->3185 3188 40a04d lstrcpyA MoveFileExA 3187->3188 3188->3185 3190 40a310 2 API calls 3189->3190 3191 40a1bf 3190->3191 3191->3148 3198 409ced 3192->3198 3193 409cfe lstrlenA 3193->3198 3194 409e17 3194->3160 3195 409e2e 3199 409ea5 StrChrA 3195->3199 3196 409dfa 3196->3194 3196->3195 3197 409e91 SHGetFolderPathA 3196->3197 3197->3199 3198->3193 3198->3196 3199->3194 3200 409ed0 lstrcatA 3199->3200 3200->3194 3202 403e62 StrRChrA 3201->3202 3202->3170 3202->3171 3204 40a0ab 3203->3204 3205 40a0ad TerminateProcess 3203->3205 3204->3183 3205->3204 3206 40b660 3207 40b666 3206->3207 3208 40b673 GetForegroundWindow ShellExecuteExW 3207->3208 3208->3207 3209 40b6cb 3208->3209 3210 405660 3211 404c90 3210->3211 3212 40567c SHGetFolderPathA lstrcatA SetFileAttributesA DeleteFileA 3211->3212 3213 404c90 3212->3213 3214 4056d8 SHGetFolderPathA lstrcatA SetFileAttributesA DeleteFileA 3213->3214 3215 407c60 3227 407d90 3215->3227 3218 407c8f ExitProcess 3219 407d80 3220 407ca4 GetProcessVersion 3221 407d70 Sleep 3220->3221 3226 407c97 3220->3226 3221->3226 3222 404a60 2 API calls 3222->3226 3223 407ce4 SHGetFolderPathA lstrcatA 3223->3226 3224 407d29 CreateProcessA 3225 405ad0 13 API calls 3224->3225 3225->3226 3226->3219 3226->3220 3226->3221 3226->3222 3226->3223 3226->3224 3228 407d9b 3227->3228 3229 407c6b SetLastError CreateMutexA GetLastError 3228->3229 3230 407da8 LoadLibraryW 3228->3230 3229->3218 3229->3226 3230->3228 3702 40a6e0 SetLastError RegCreateKeyExA GetLastError 3703 40a790 3702->3703 3704 40a723 3702->3704 3705 40a736 wsprintfA lstrlenA RegSetValueExA RegCloseKey 3704->3705 3705->3703 3706 40bbe0 3707 404c90 3706->3707 3708 40bc01 lstrcpyA LoadLibraryW 3707->3708 3709 40bc29 3708->3709 3710 40bc54 GetProcAddress GetProcAddress 3709->3710 3715 40bb40 VirtualProtect 3710->3715 3713 40bb40 2 API calls 3714 40bca5 3713->3714 3716 40bb74 3715->3716 3724 40bae0 VirtualProtect 3716->3724 3718 40bb90 3719 40bb99 3718->3719 3720 40bbae 3718->3720 3725 40bae0 VirtualProtect 3719->3725 3726 40bae0 VirtualProtect 3720->3726 3723 40bba9 3723->3713 3724->3718 3725->3723 3726->3723 3825 40b4a0 RegOpenKeyExA 3826 40b4e1 3825->3826 3827 40b4c9 RegDeleteValueA RegCloseKey 3825->3827 3827->3826 3828 40a8a0 3829 40a8bc 3828->3829 3830 40a8dc SHGetFolderPathA lstrcatA lstrcatA 3829->3830 3831 40a928 CreateProcessA 3830->3831 3832 40a94d CreateProcessA 3830->3832 3833 40a96e 3831->3833 3832->3833 3834 4036a0 SetLastError CreateMutexA GetLastError 3835 4036d5 CreateThread 3834->3835 3836 4036cd ExitProcess 3834->3836 3837 404aa0 VirtualAllocEx 3838 404acf VirtualAllocEx 3837->3838 3840 404ac8 3837->3840 3839 404af6 WriteProcessMemory WriteProcessMemory CreateRemoteThread 3838->3839 3838->3840 3839->3840 3845 403fa0 3846 403fb0 3845->3846 3847 403fc4 3845->3847 3848 403fb6 3846->3848 3849 40401b DestroyWindow 3846->3849 3850 403fe4 3847->3850 3851 403fc2 DefWindowProcA 3847->3851 3854 403fbc 3848->3854 3855 403fcf 3848->3855 3860 403fd8 3849->3860 3852 404012 3850->3852 3853 403fed CloseHandle 3850->3853 3851->3860 3857 404370 57 API calls 3852->3857 3853->3850 3854->3851 3858 404029 UnregisterDeviceNotification PostQuitMessage 3854->3858 3861 403f50 3855->3861 3857->3860 3858->3860 3862 403f87 RegisterDeviceNotificationA 3861->3862 3862->3860 3631 404825 3632 404917 lstrlenA lstrlenA MultiByteToWideChar 3631->3632 3633 404140 10 API calls 3632->3633 3649 4048b6 3633->3649 3634 404991 FindNextFileA 3636 4045fa lstrcmpA 3634->3636 3637 4049ad 6 API calls 3634->3637 3635 404973 SetFileAttributesA SetFileAttributesA 3635->3634 3636->3634 3639 404616 3636->3639 3638 404a4c 3637->3638 3638->3638 3640 404679 lstrcpyA 3639->3640 3641 4046ab lstrlenA 3640->3641 3642 40469c 3641->3642 3642->3641 3643 4047a5 wsprintfA wsprintfA StrStrA 3642->3643 3651 404736 wsprintfA wsprintfA MoveFileA 3642->3651 3644 404801 SetFileAttributesA DeleteFileA 3643->3644 3645 40482a StrStrA 3643->3645 3644->3634 3646 404840 StrStrA 3645->3646 3647 404898 GetFileAttributesA 3645->3647 3646->3647 3648 404856 StrStrA 3646->3648 3647->3649 3650 4048cc SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 3647->3650 3648->3647 3652 40486c StrStrA 3648->3652 3649->3632 3649->3634 3649->3635 3649->3650 3650->3649 3651->3642 3652->3647 3653 404882 StrStrA 3652->3653 3653->3632 3653->3647 2902 404fb0 CreateThread 2929 404c90 2902->2929 2978 407020 GetModuleHandleA SetLastError CreateMutexA GetLastError 2902->2978 2905 405036 GetCommandLineA StrStrA 2907 4050d0 CreateThread GetProcessHeap 2905->2907 2908 405050 SetLastError CreateMutexA GetLastError 2905->2908 2931 404a60 2907->2931 2973 405590 2907->2973 2909 405081 2908->2909 2910 405079 ExitProcess 2908->2910 2955 40b2d0 RegCreateKeyExA 2909->2955 2913 4050fc 2916 40512a SHGetFolderPathW 2913->2916 2914 40509a 2915 4050ae GetModuleFileNameA 2914->2915 2958 40b120 SetLastError RegCreateKeyExA GetLastError 2915->2958 2918 404c90 2916->2918 2920 405158 11 API calls 2918->2920 2921 405264 2920->2921 2922 405277 lstrcatW CreateProcessW 2921->2922 2935 405ad0 2922->2935 2925 404c90 2926 405361 GetModuleFileNameW 2925->2926 2949 4053a0 2926->2949 2928 40502c ExitProcess 2930 404ca5 GetModuleFileNameW GetModuleHandleA GetProcAddress GetCommandLineA StrStrA 2929->2930 2930->2905 2930->2928 2932 404a92 2931->2932 2933 404a74 GetCurrentProcess IsWow64Process 2931->2933 2932->2913 2933->2932 2934 404a8b 2933->2934 2934->2932 2961 405aa0 2935->2961 2937 405ade 2964 4058c0 IsBadReadPtr 2937->2964 2940 4052de FindResourceA LoadResource SizeofResource LockResource VirtualProtect 2940->2925 2941 405bd4 CreateRemoteThread 2943 405bd2 2941->2943 2944 405bfe 2941->2944 2942 405b26 2946 405b39 GetModuleFileNameA VirtualAllocEx 2942->2946 2943->2940 2945 405c08 WaitForSingleObject 2943->2945 2944->2940 2945->2940 2946->2943 2947 405b77 WriteProcessMemory 2946->2947 2947->2943 2948 405b9f CreateRemoteThread 2947->2948 2948->2940 2948->2943 2950 4053b9 2949->2950 2951 4053cc 7 API calls 2950->2951 2952 4054a0 2951->2952 2953 405506 Wow64GetThreadContext WriteProcessMemory Wow64SetThreadContext ResumeThread 2952->2953 2954 4054b8 WriteProcessMemory 2952->2954 2953->2928 2954->2952 2956 40b332 2955->2956 2957 40b30c RegSetValueExA RegCloseKey 2955->2957 2956->2914 2957->2956 2959 40b164 lstrlenA RegSetValueExA RegCloseKey 2958->2959 2960 4050cd 2958->2960 2959->2960 2960->2907 2962 404c90 2961->2962 2963 405ab3 VirtualQuery 2962->2963 2963->2937 2965 4058f4 2964->2965 2966 4058fb VirtualAllocEx 2964->2966 2965->2940 2965->2941 2965->2942 2966->2965 2967 40591f VirtualAlloc 2966->2967 2972 405946 2967->2972 2968 405a6b 2968->2965 2970 405a71 VirtualFreeEx 2968->2970 2969 405a58 VirtualFree 2969->2968 2970->2965 2971 405a37 WriteProcessMemory 2971->2969 2972->2968 2972->2969 2972->2971 2974 4055ac 2973->2974 2975 4055c2 SHGetFolderPathA wsprintfA 2974->2975 2976 404c90 2975->2976 2977 405609 GetModuleFileNameA SetFileAttributesA DeleteFileA CopyFileA 2976->2977 2979 407088 ExitThread 2978->2979 2980 407090 2978->2980 2981 4070c6 30 API calls 2980->2981 2982 40736f 2981->2982 2983 407419 21 API calls 2982->2983 2986 4073e7 lstrcatA lstrcpyA 2982->2986 2988 4073c1 lstrlenA 2982->2988 2984 4075a4 2983->2984 2996 40a860 2984->2996 2986->2982 2988->2982 2990 40774b 2991 40761d VirtualAllocEx 2991->2990 2992 407653 WriteProcessMemory WriteProcessMemory 2991->2992 2993 4076ec CreateRemoteThread 2992->2993 2994 40771b 2993->2994 2995 40771d WaitForSingleObject GetExitCodeThread 2993->2995 2994->2993 2995->2990 2995->2994 2997 4075ac SHGetFolderPathA lstrcatA CreateProcessA 2996->2997 2998 40a874 GetCurrentProcess IsWow64Process 2996->2998 2997->2990 2997->2991 2998->2997 2999 40a88b 2998->2999 2999->2997 3654 40b430 3655 40b44c 3654->3655 3656 40b3b0 3 API calls 3655->3656 3657 40b464 lstrlenA MultiByteToWideChar 3656->3657 3727 4036f0 3728 407d90 LoadLibraryW 3727->3728 3729 4036fb GetModuleHandleA GetProcAddress SetLastError CreateMutexA GetLastError 3728->3729 3730 403743 GetCurrentProcessId CreateThread 3729->3730 3731 40373b ExitProcess 3729->3731 3732 40377e 3730->3732 3733 40a860 2 API calls 3732->3733 3734 4037ae 3733->3734 3739 403980 3734->3739 3736 403817 3738 4037e7 CreateThread CreateThread 3738->3736 3761 403cd0 3738->3761 3770 403b60 6 API calls 3738->3770 3740 40a860 2 API calls 3739->3740 3741 403998 3740->3741 3742 4039c6 SHGetFolderPathA lstrcatA 3741->3742 3749 4039ff 3742->3749 3743 4037b8 3743->3736 3743->3738 3744 403a26 FindFirstFileA 3744->3749 3745 403b18 FindNextFileA 3747 403b34 FindClose 3745->3747 3745->3749 3746 403a62 lstrlenA 3748 40a180 3 API calls 3746->3748 3747->3749 3748->3749 3749->3743 3749->3744 3749->3745 3749->3746 3750 403a98 StrRChrA 3749->3750 3751 403ac2 lstrcpynA lstrcatA 3749->3751 3750->3749 3753 403820 lstrcatA FindFirstFileA 3751->3753 3754 40384f 3753->3754 3755 403866 StrRChrA 3754->3755 3756 403945 FindNextFileA 3754->3756 3757 4038d9 StrStrIA 3754->3757 3760 40388a lstrcpynA lstrcatA 3754->3760 3755->3754 3756->3754 3758 403961 FindClose 3756->3758 3757->3756 3759 4038f4 lstrcpyA lstrlenA 3757->3759 3758->3749 3759->3756 3760->3754 3769 403cd9 3761->3769 3762 403e44 3763 403ce6 CreateToolhelp32Snapshot 3763->3769 3764 403d08 Process32First 3764->3769 3765 403d40 lstrlenA 3766 40a180 3 API calls 3765->3766 3766->3769 3767 403e02 Process32Next 3768 403e2a CloseHandle Sleep 3767->3768 3767->3769 3768->3769 3769->3762 3769->3763 3769->3764 3769->3765 3769->3767 3773 403bcf 3770->3773 3771 403cbe 3772 403cb1 Sleep 3772->3773 3773->3771 3773->3772 3774 403c59 SetTcpEntry 3773->3774 3774->3773 3863 40afb0 3864 40afb4 3863->3864 3865 40afea 3864->3865 3866 40afbd GetDesktopWindow 3864->3866 3867 40afd3 FindWindowExA 3866->3867 3868 40afec Sleep 3866->3868 3867->3865 3867->3868 3868->3864 3869 40b9b0 3874 40b880 GetUserNameW NetUserGetInfo 3869->3874 3872 40b9c2 3875 40b8ce 3874->3875 3877 40b8e7 3874->3877 3876 40b8d7 NetApiBufferFree 3875->3876 3875->3877 3876->3877 3877->3872 3878 40b8f0 RegOpenKeyExA 3877->3878 3879 40b98f 3878->3879 3880 40b91b RegQueryValueExA RegQueryValueExA RegCloseKey 3878->3880 3879->3872 3880->3879 3658 405031 3659 40538b ExitProcess 3658->3659 3660 40a131 3661 40a16e CloseHandle 3660->3661

                                                  Executed Functions

                                                  Function 00407020 Relevance: 215.7, APIs: 68, Strings: 55, Instructions: 435libraryloadersynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00407030
                                                  • SetLastError.KERNEL32(00000000), ref: 00407066
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,SSLOADasdasc000900), ref: 00407075
                                                  • GetLastError.KERNEL32 ref: 0040707B
                                                  • ExitThread.KERNEL32 ref: 0040708A
                                                  • GetProcAddress.KERNEL32(?,CloseHandle), ref: 004070F2
                                                  • GetProcAddress.KERNEL32(?,CreateFileA), ref: 0040710A
                                                  • GetProcAddress.KERNEL32(?,DeleteFileA), ref: 00407122
                                                  • GetProcAddress.KERNEL32(?,ExitProcess), ref: 0040713A
                                                  • GetProcAddress.KERNEL32(?,GetFileSize), ref: 00407152
                                                  • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 0040716A
                                                  • GetProcAddress.KERNEL32(?,GetSystemTime), ref: 00407182
                                                  • GetProcAddress.KERNEL32(?,GetTempPathA), ref: 0040719A
                                                  • GetProcAddress.KERNEL32(?,LoadLibraryA), ref: 004071B2
                                                  • GetProcAddress.KERNEL32(?,lstrcatA), ref: 004071CA
                                                  • GetProcAddress.KERNEL32(?,lstrlenA), ref: 004071E2
                                                  • GetProcAddress.KERNEL32(?,ReadFile), ref: 004071FA
                                                  • GetProcAddress.KERNEL32(?,SetFileAttributesA), ref: 00407212
                                                  • GetProcAddress.KERNEL32(?,WinExec), ref: 0040722A
                                                  • GetProcAddress.KERNEL32(?,WriteFile), ref: 00407242
                                                  • GetProcAddress.KERNEL32(?,Sleep), ref: 0040725A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLast$CreateExitHandleModuleMutexThread
                                                  • String ID: %$.exe$9EEAi^^2A:]H:A>2?:2]4@>]2CE34@?b]CF^7C7{6r]8:7$9EEAi^^2A:]H:A>2?:2]4@>]3H2ED]CF^~7;%|6]8:7$9EEAi^^2A:]H:A>2?:2]4@>]4>@6?]CF^K<>4w|]8:7$9EEAi^^2A:]H:A>2?:2]4@>]7@H5]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]=@EFDd]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]=@EJD]CF^Gy@yp:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]D6=7>8]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]DE4FD]CF^2A$!9G]8:7$9EEAi^^2A:]H:A>2?:2]4@>]H:A>2?:2]CF^{<HpIs]8:7$9EEAi^^2A:]H:A>2?:2]4@>]J6=@E@]CF^KHu|Hs]8:7$9EEAi^^2A:`]H:A>2?:2]4@>]H:A>D4]CF^2A:`]8:7$9EEAi^^2A:a]H:A>2?:2]4@>]H:A>D4]CF^2A:a]8:7$9EEAi^^2A:b]H:A>2?:2]4@>]H:A>D4]CF^2A:b]8:7$9EEAi^^2A:c]H:A>2?:2]4@>]H:A>D4]CF^2A:c]8:7$9EEAi^^2A:d]H:A>2?:2]4@>]H:A>D4]CF^2A:d]8:7$9EEAi^^2A:e]H:A>2?:2]4@>]H:A>D4]CF^2A:e]8:7$9EEAi^^2A:f]H:A>2?:2]4@>]H:A>D4]CF^2A:f]8:7$9EEAi^^2A:g]H:A>2?:2]4@>]H:A>D4]CF^2A:g]8:7$9EEAi^^2A:h]H:A>2?:2]4@>]H:A>D4]CF^2A:h]8:7$9EEAi^^FA52E6]H:A>2?:2]4@>]C2F=9@DE]CF^=@8@]8:7$C:\Windows\SysWOW64\calc.exe$CloseHandle$CreateFileA$CreateMutexA$D$DeleteFileA$ExitProcess$GetFileSize$GetLastError$GetProcAddress$GetSystemTime$GetTempPathA$InternetCheckConnectionA$LoadLibraryA$ReadFile$SSLOADasdasc000900$SetFileAttributesA$Sleep$URLDownloadToFileA$WinExec$WriteFile$\calc.exe$abcdefghijklmnopqrstuvwxyz0123456789$c731200$c731200$http://www.google.com$kernel32.dll$lstrcatA$lstrlenA$urlmon.dll$user32.dll$wininet.dll$wsprintfA
                                                  • API String ID: 62013889-40255206
                                                  • Opcode ID: f6ddf2a8966a10d19f38df9c551ac4257d8bcd0481a924707e71daf40e99a4d1
                                                  • Instruction ID: 039a37cea978da9ecfcf0616cb0299ff379ed1d45bd0e1566b75767197db2db3
                                                  • Opcode Fuzzy Hash: f6ddf2a8966a10d19f38df9c551ac4257d8bcd0481a924707e71daf40e99a4d1
                                                  • Instruction Fuzzy Hash: 50026171A40318AFDB14DBA0DD49FED7774AB48700F5045A6F709BA2E0D7B9AA80CF58
                                                  Function 00404FB0 Relevance: 100.0, APIs: 36, Strings: 21, Instructions: 246libraryloadersynchronizationCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,00407020,00000000,00000000,00000000), ref: 00404FC8
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002C_106.exe,00000207), ref: 00404FF4
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00405004
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040500B
                                                  • GetCommandLineA.KERNEL32(-aav_start), ref: 0040501B
                                                  • StrStrA.SHLWAPI(00000000), ref: 00405022
                                                  • GetCommandLineA.KERNEL32(-shell), ref: 0040503B
                                                  • StrStrA.SHLWAPI(00000000), ref: 00405042
                                                  • SetLastError.KERNEL32(00000000), ref: 00405052
                                                  • CreateMutexA.KERNEL32(00000000,00000000,Windows_Shared_Mutex_231_c000900), ref: 00405061
                                                  • GetLastError.KERNEL32 ref: 0040506C
                                                  • ExitProcess.KERNEL32 ref: 0040507B
                                                  • ExitProcess.KERNEL32 ref: 0040538D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CommandCreateErrorExitLastLineModuleProcess$AddressFileHandleMutexNameProcThread
                                                  • String ID: %$-aav_start$-shell$C:\Users\user\Desktop\LisectAVT_2403002C_106.exe$C:\Windows\SysWOW64\mspaint.exe$CFlagc000900$CreateMutexA$CreateProcessW$D$ExitProcess$GetLastError$GetProcessVersion$IsWow64Process$SVCHOST_MUTEX_OBJECT_RELEASED_c000900$SetLastError$Sleep$Windows_Shared_Mutex_231_c000900$\mspaint.exe$\svchost.exe$kernel32.dll$kernel32.dll
                                                  • API String ID: 395199812-4231946185
                                                  • Opcode ID: 7e2388e464de3ec378d28578624941e543d1ffffa28e51e2b0b2dcce1d40cefa
                                                  • Instruction ID: f20050b447da9c78dc032c902e32e868168cfbc53e4bede8df943421e5f12fb4
                                                  • Opcode Fuzzy Hash: 7e2388e464de3ec378d28578624941e543d1ffffa28e51e2b0b2dcce1d40cefa
                                                  • Instruction Fuzzy Hash: 6AA124B5A80304BBE7109BA0ED4AFA97774AB48B05F108176F705BA1F0D7B85684CF5D
                                                  Function 004053A0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 137threadinjectionprocessCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 004053E9
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 004053F4
                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040541F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 00405426
                                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 00405442
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 0040546A
                                                  • WriteProcessMemory.KERNELBASE(?,?,00405388,?,00000000), ref: 00405491
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000000,00000000), ref: 004054FE
                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0040551E
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00405543
                                                  • Wow64SetThreadContext.KERNEL32(?,00010007), ref: 0040556F
                                                  • ResumeThread.KERNELBASE(?), ref: 0040557C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process$MemoryThreadWrite$ContextWow64$AddressAllocCommandCreateHandleLineModuleProcResumeSectionUnmapViewVirtual
                                                  • String ID: NtUnmapViewOfSection$ntdll.dll
                                                  • API String ID: 1280363353-1050664331
                                                  • Opcode ID: 5f17cf03f17282bed52562908b56d1293ac428989c05baf0e85435c59f420ed3
                                                  • Instruction ID: 2f5b5f8039db3d3a9e2d9b2c7809133606020e9b5326332ce8fbaa38ba0ba576
                                                  • Opcode Fuzzy Hash: 5f17cf03f17282bed52562908b56d1293ac428989c05baf0e85435c59f420ed3
                                                  • Instruction Fuzzy Hash: 9A512D75A41258AFCB54CF94CD88FDDB779AB48304F1081DAFA09A7391D634AE81CF58
                                                  Function 004058C0 Relevance: 9.2, APIs: 6, Instructions: 155memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 88 4058c0-4058f2 IsBadReadPtr 89 4058f4-4058f6 88->89 90 4058fb-405919 VirtualAllocEx 88->90 91 405a90-405a93 89->91 92 405a8d 90->92 93 40591f-40594d VirtualAlloc call 403e50 90->93 92->91 96 405953-405965 93->96 97 405a6b-405a6f 93->97 98 405a58-405a65 VirtualFree 96->98 99 40596b-405971 96->99 97->92 100 405a71-405a86 VirtualFreeEx 97->100 98->97 99->98 101 405977-405997 99->101 100->92 102 40599a-4059a0 101->102 103 4059a6-4059ad 102->103 104 405a37-405a55 WriteProcessMemory 102->104 105 405a26-405a32 103->105 106 4059af-4059cd 103->106 104->98 105->102 107 4059d8-4059de 106->107 107->105 108 4059e0-4059ec 107->108 109 405a24 108->109 110 4059ee-405a22 108->110 109->107 110->109
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(00405AF4,?), ref: 004058EA
                                                  • VirtualAllocEx.KERNELBASE(00407810,00000000,?,00003000,00000040), ref: 0040590C
                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0040592C
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual$Read
                                                  • String ID:
                                                  • API String ID: 3755761445-0
                                                  • Opcode ID: b76096d6fd9ebd558886cd4db9611550a91ab8346a307149a99ce1c20da73a46
                                                  • Instruction ID: 3575a3e607f3602e3235c3fb0587b13d2629998cfff82a088f9809d928d4b095
                                                  • Opcode Fuzzy Hash: b76096d6fd9ebd558886cd4db9611550a91ab8346a307149a99ce1c20da73a46
                                                  • Instruction Fuzzy Hash: D661A274A01209EFCB04CF98D994BAEB7B5FF48301F248269E915BB390D735A941CFA4
                                                  Function 00405AD0 Relevance: 9.1, APIs: 6, Instructions: 97injectionmemorythreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 112 405ad0-405afe call 405aa0 call 4058c0 117 405b00-405b02 112->117 118 405b07-405b20 112->118 119 405c1c-405c1f 117->119 120 405bd4-405bfc CreateRemoteThread 118->120 121 405b26-405b75 call 404c90 GetModuleFileNameA VirtualAllocEx 118->121 122 405c02-405c06 120->122 123 405bfe-405c00 120->123 128 405bd2 121->128 129 405b77-405b9d WriteProcessMemory 121->129 125 405c17 122->125 126 405c08-405c11 WaitForSingleObject 122->126 123->119 125->119 126->125 128->122 129->128 130 405b9f-405bcc CreateRemoteThread 129->130 130->128 131 405bce-405bd0 130->131 131->119
                                                  APIs
                                                    • Part of subcall function 00405AA0: VirtualQuery.KERNEL32(00405AA0,?,0000001C,?,?,?,?,?,?,?,?,?,00405ADE), ref: 00405AC1
                                                    • Part of subcall function 004058C0: IsBadReadPtr.KERNEL32(00405AF4,?), ref: 004058EA
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,000000FE), ref: 00405B4A
                                                  • VirtualAllocEx.KERNELBASE(00407810,00000000,00000104,00001000,00000004), ref: 00405B62
                                                  • WriteProcessMemory.KERNELBASE(00407810,00000000,?,00000104,?), ref: 00405B95
                                                  • CreateRemoteThread.KERNELBASE(00407810,00000000,00000000,?,00000000,00000000,00000000), ref: 00405BB9
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocCreateFileMemoryModuleNameProcessQueryReadRemoteThreadWrite
                                                  • String ID:
                                                  • API String ID: 2663169638-0
                                                  • Opcode ID: 997013f3ba0757829bce087efd1303241d8dfc1653f6ffa88fc73ff728293bc3
                                                  • Instruction ID: 229f2f54db172318e7c36139ec77e7b8d936713b7ae798d246e7ed01ac662100
                                                  • Opcode Fuzzy Hash: 997013f3ba0757829bce087efd1303241d8dfc1653f6ffa88fc73ff728293bc3
                                                  • Instruction Fuzzy Hash: 44313475A44218AFEB24DF60CD4AFEA7374EB44704F1085A5F749BA1C0D6B46EC18F98
                                                  Function 00405590 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004055D4
                                                  • wsprintfA.USER32 ref: 004055ED
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040561A
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 0040562C
                                                  • DeleteFileA.KERNELBASE(?), ref: 00405639
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040564F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCopyDeleteFolderModuleNamePathwsprintf
                                                  • String ID: %s\c731200
                                                  • API String ID: 589293570-1377743397
                                                  • Opcode ID: cb7b3fa3e425501208ab7955a174114ee4141505754a42944286a54883597aea
                                                  • Instruction ID: 03569b9b65cfe378fb5d8afda728a54190bd6b7059e73d999f0fc6d5056232cc
                                                  • Opcode Fuzzy Hash: cb7b3fa3e425501208ab7955a174114ee4141505754a42944286a54883597aea
                                                  • Instruction Fuzzy Hash: E51173B594420C7BE724DB90EC4AFE9733CAB58704F0005A9B789B90D1EAF457C88F95
                                                  Function 00405031 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 132 405031-40538d ExitProcess
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: 774ef12d4be007b03fa4bcaf77ba134c63c8ccd1c00a2221cc2ae5a3dc89526f
                                                  • Instruction ID: d0de9fd4cb6fa50ef4c6a8b9d3e7396c5a16b220319f22ea96f51e8c4561bf15
                                                  • Opcode Fuzzy Hash: 774ef12d4be007b03fa4bcaf77ba134c63c8ccd1c00a2221cc2ae5a3dc89526f
                                                  • Instruction Fuzzy Hash: B19002341586015AD2481750592973565109705742F104531AB5A780E445B40001595A

                                                  Non-executed Functions

                                                  Function 00404370 Relevance: 119.4, APIs: 47, Strings: 21, Instructions: 441filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 264 404370-40442d call 404c90 * 2 SHGetFolderPathA wsprintfA lstrlenA 270 404a51-404a56 264->270 271 404433-404496 GetDriveTypeA 264->271 272 404a4c 271->272 273 40449c-40452c call 404c90 * 2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 271->273 272->272 278 40454a 273->278 279 40452e-404548 CloseHandle DeleteFileA 273->279 280 40454f-4045f4 call 404c90 GetVolumeInformationA call 403ea0 call 4040d0 lstrcatA wsprintfA FindFirstFileA 278->280 279->280 287 4045fa-404610 lstrcmpA 280->287 288 4049ad-404a46 wsprintfA SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA CreateFileA 280->288 289 404991-4049a7 FindNextFileA 287->289 290 404616-40469a call 404c90 * 4 lstrcpyA 287->290 288->272 289->287 289->288 299 4046ab-4046be lstrlenA 290->299 300 4046c0-4046d0 299->300 301 4046fe-404707 299->301 302 4046d2 300->302 303 4046d4-4046e5 300->303 304 404793-40479c 301->304 305 40470d-40478d call 404c90 * 2 wsprintfA * 2 MoveFileA 301->305 302->301 307 4046e7-4046f5 303->307 308 4046fc 303->308 309 4047a5-4047ff wsprintfA * 2 StrStrA 304->309 310 40479e 304->310 305->304 307->308 308->301 314 40469c-4046a5 308->314 311 404801-404820 SetFileAttributesA DeleteFileA 309->311 312 40482a-40483e StrStrA 309->312 310->309 311->289 315 404840-404854 StrStrA 312->315 316 404898-4048b4 GetFileAttributesA 312->316 314->299 315->316 318 404856-40486a StrStrA 315->318 319 4048b6-4048bf 316->319 320 4048cc-40490f SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 316->320 318->316 322 40486c-404880 StrStrA 318->322 319->320 323 4048c1-4048ca 319->323 324 404915 320->324 322->316 326 404882-404896 StrStrA 322->326 323->320 323->324 324->289 325 404917-404971 lstrlenA * 2 MultiByteToWideChar call 404140 324->325 325->289 329 404973-40498b SetFileAttributesA * 2 325->329 326->316 326->325 329->289
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004043DD
                                                  • wsprintfA.USER32 ref: 004043F6
                                                  • lstrlenA.KERNEL32(?), ref: 00404421
                                                  • GetDriveTypeA.KERNEL32(?), ref: 00404483
                                                  • wsprintfA.USER32 ref: 004044D8
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004044ED
                                                  • DeleteFileA.KERNEL32(?), ref: 004044FA
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404519
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00404535
                                                  • DeleteFileA.KERNEL32(?), ref: 00404542
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0040457F
                                                    • Part of subcall function 004040D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,004045A2), ref: 0040410D
                                                  • lstrcatA.KERNEL32(?,.exe), ref: 004045B1
                                                  • wsprintfA.USER32 ref: 004045CA
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004045E1
                                                  • lstrcmpA.KERNEL32(?,?), ref: 00404608
                                                  • lstrcpyA.KERNEL32(?,?), ref: 0040468A
                                                  • lstrlenA.KERNEL32(?), ref: 004046B2
                                                  • wsprintfA.USER32 ref: 00404753
                                                  • wsprintfA.USER32 ref: 00404776
                                                  • MoveFileA.KERNEL32(?,?), ref: 0040478D
                                                  • wsprintfA.USER32 ref: 004047BF
                                                  • wsprintfA.USER32 ref: 004047E2
                                                  • StrStrA.SHLWAPI(?,.lnk), ref: 004047F7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040480D
                                                  • DeleteFileA.KERNEL32(?), ref: 0040481A
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040499F
                                                  • wsprintfA.USER32 ref: 004049C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004049DC
                                                  • DeleteFileA.KERNEL32(?), ref: 004049E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004049FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 00404A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 00404A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$wsprintf$AttributesDelete$lstrlen$CreateFind$CloseCopyDriveFirstFolderHandleInformationMoveNextPathTypeVolumelstrcatlstrcmplstrcpy
                                                  • String ID: %s\%s$%s\%s$%s\%s$%s\%s$%s\%s.lnk$%s\*$%s\c731200$%s\c731200$.cmd$.com$.exe$.exe$.lnk$.pif$.scr$:$:$BCDEFGHIJKLMNOPQRSTUVWXYZ$\$_$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                  • API String ID: 1100892458-693930271
                                                  • Opcode ID: 344146ab5123802e8f01db76e9c26d315ea2b7f0cd183096087b988476e8e981
                                                  • Instruction ID: 306f9480e873f6b5e852b8f30d379ad9a78f515962fa5b79eb97e007c889954e
                                                  • Opcode Fuzzy Hash: 344146ab5123802e8f01db76e9c26d315ea2b7f0cd183096087b988476e8e981
                                                  • Instruction Fuzzy Hash: 0C02C8B1904218ABEB20DBA0DD49FEA7778AB44704F0045EAF709B61D1EB756BC8CF54
                                                  Function 0040440B Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 287filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 330 40440b-40442d lstrlenA 332 404a51-404a56 330->332 333 404433-404496 GetDriveTypeA 330->333 334 404a4c 333->334 335 40449c-40452c call 404c90 * 2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 333->335 334->334 340 40454a 335->340 341 40452e-404548 CloseHandle DeleteFileA 335->341 342 40454f-4045f4 call 404c90 GetVolumeInformationA call 403ea0 call 4040d0 lstrcatA wsprintfA FindFirstFileA 340->342 341->342 349 4045fa-404610 lstrcmpA 342->349 350 4049ad-404a46 wsprintfA SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA CreateFileA 342->350 351 404991-4049a7 FindNextFileA 349->351 352 404616-40469a call 404c90 * 4 lstrcpyA 349->352 350->334 351->349 351->350 361 4046ab-4046be lstrlenA 352->361 362 4046c0-4046d0 361->362 363 4046fe-404707 361->363 364 4046d2 362->364 365 4046d4-4046e5 362->365 366 404793-40479c 363->366 367 40470d-40478d call 404c90 * 2 wsprintfA * 2 MoveFileA 363->367 364->363 369 4046e7-4046f5 365->369 370 4046fc 365->370 371 4047a5-4047ff wsprintfA * 2 StrStrA 366->371 372 40479e 366->372 367->366 369->370 370->363 376 40469c-4046a5 370->376 373 404801-404820 SetFileAttributesA DeleteFileA 371->373 374 40482a-40483e StrStrA 371->374 372->371 373->351 377 404840-404854 StrStrA 374->377 378 404898-4048b4 GetFileAttributesA 374->378 376->361 377->378 380 404856-40486a StrStrA 377->380 381 4048b6-4048bf 378->381 382 4048cc-40490f SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 378->382 380->378 384 40486c-404880 StrStrA 380->384 381->382 385 4048c1-4048ca 381->385 386 404915 382->386 384->378 388 404882-404896 StrStrA 384->388 385->382 385->386 386->351 387 404917-404971 lstrlenA * 2 MultiByteToWideChar call 404140 386->387 387->351 391 404973-40498b SetFileAttributesA * 2 387->391 388->378 388->387 391->351
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 00404421
                                                  • GetDriveTypeA.KERNEL32(?), ref: 00404483
                                                  • wsprintfA.USER32 ref: 004044D8
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004044ED
                                                  • DeleteFileA.KERNEL32(?), ref: 004044FA
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404519
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00404535
                                                  • DeleteFileA.KERNEL32(?), ref: 00404542
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0040457F
                                                    • Part of subcall function 004040D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,004045A2), ref: 0040410D
                                                  • lstrcatA.KERNEL32(?,.exe), ref: 004045B1
                                                  • wsprintfA.USER32 ref: 004045CA
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 004045E1
                                                  • lstrcmpA.KERNEL32(?,?), ref: 00404608
                                                  • lstrcpyA.KERNEL32(?,?), ref: 0040468A
                                                  • lstrlenA.KERNEL32(?), ref: 004046B2
                                                  • wsprintfA.USER32 ref: 00404753
                                                  • wsprintfA.USER32 ref: 00404776
                                                  • MoveFileA.KERNEL32(?,?), ref: 0040478D
                                                  • wsprintfA.USER32 ref: 004047BF
                                                  • wsprintfA.USER32 ref: 004047E2
                                                  • StrStrA.SHLWAPI(?,.lnk), ref: 004047F7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040480D
                                                  • DeleteFileA.KERNEL32(?), ref: 0040481A
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040499F
                                                  • wsprintfA.USER32 ref: 004049C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004049DC
                                                  • DeleteFileA.KERNEL32(?), ref: 004049E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004049FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 00404A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 00404A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$wsprintf$AttributesDelete$lstrlen$CreateFind$CloseCopyDriveFirstHandleInformationMoveNextTypeVolumelstrcatlstrcmplstrcpy
                                                  • String ID: %s\%s$%s\%s$%s\%s$%s\%s$%s\%s.lnk$%s\*$%s\c731200$.exe$.lnk$:$:$\
                                                  • API String ID: 3081613290-300744826
                                                  • Opcode ID: 69022885b2b479072937c1673506c6c707eacc455126d90f3f02bbb7387b2b01
                                                  • Instruction ID: d351cab4489fac4db1c8ed33e6e815cb872f6f3036aa9a7e65a4e40b4f126457
                                                  • Opcode Fuzzy Hash: 69022885b2b479072937c1673506c6c707eacc455126d90f3f02bbb7387b2b01
                                                  • Instruction Fuzzy Hash: B4C1B2B1D04218ABEB20DB60DD49FEA7738AB44704F0045EAF349B61D1EB796B88CF55
                                                  Function 00404D90 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 88stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000103), ref: 00404DB4
                                                  • lstrcatA.KERNEL32(?,\Program Files\), ref: 00404DC6
                                                  • lstrcatA.KERNEL32(?,?), ref: 00404DD7
                                                  • lstrcatA.KERNEL32(?,004018A8), ref: 00404DE9
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00404DFD
                                                  • lstrcatA.KERNEL32(?,004018AC), ref: 00404E0F
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00404E23
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00404E55
                                                  • lstrcatA.KERNEL32(?,?), ref: 00404E69
                                                  • StrStrA.SHLWAPI(?,00000000), ref: 00404E7C
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00404E94
                                                    • Part of subcall function 00404CE0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00404D0F
                                                    • Part of subcall function 00404CE0: GetTickCount.KERNEL32 ref: 00404D6D
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 00404EA7
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00404EBD
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00404ED1
                                                  • FindClose.KERNEL32(000000FF), ref: 00404EE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$FileFindlstrcpy$CloseCountEnvironmentFirstInformationMoveNextTickVariableVolume
                                                  • String ID: HOMEDRIVE$\Program Files\
                                                  • API String ID: 3772047255-45981873
                                                  • Opcode ID: 9887c3c35219158deb09815511d77c206bf9675b5bb578cb3fd8d0c76b686a04
                                                  • Instruction ID: 55dba6303b1fd307ffc0d01fef8f895c0170d5853f8370afaa5bc5b013c18935
                                                  • Opcode Fuzzy Hash: 9887c3c35219158deb09815511d77c206bf9675b5bb578cb3fd8d0c76b686a04
                                                  • Instruction Fuzzy Hash: 223130B690021C9BCB25DBA0DD48EDA777CBB4C701F4045EAB209B6160DB749BC5CF98
                                                  Function 004089D0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 127filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 004089E6
                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00408A04
                                                  • CharLowerA.USER32(?), ref: 00408A11
                                                  • lstrlenA.KERNEL32(?), ref: 00408A1E
                                                  • wsprintfA.USER32 ref: 00408A3D
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00408A54
                                                  • CharLowerA.USER32(?), ref: 00408AC2
                                                  • wsprintfA.USER32 ref: 00408B68
                                                  • wsprintfA.USER32 ref: 00408B8B
                                                  • MoveFileA.KERNEL32(?,?), ref: 00408BA2
                                                  • GetLastError.KERNEL32 ref: 00408BAD
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00408BCB
                                                  • FindClose.KERNEL32(000000FF), ref: 00408BE0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: FileFindwsprintf$CharLower$CloseComputerErrorFirstFolderLastMoveNameNextPathSpeciallstrlen
                                                  • String ID: %s\%s$%s\%s$%s\*.*
                                                  • API String ID: 626640802-3236339881
                                                  • Opcode ID: 19bc10c7292f2bc8555c00c7047a1f98e1203c295ead2c4097cd2fe478646660
                                                  • Instruction ID: d5bc276044fbb325fdb7097c3eaf3dc6b38036e8a860377ce51be22551594468
                                                  • Opcode Fuzzy Hash: 19bc10c7292f2bc8555c00c7047a1f98e1203c295ead2c4097cd2fe478646660
                                                  • Instruction Fuzzy Hash: 1151B0B09002289BCB24CB60CD88BEA7779AB95300F5441EEE649B6590DB795FD4CF58
                                                  Function 00408020 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 95fileprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wsprintfA.USER32 ref: 0040803F
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00408056
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00408087
                                                  • Process32First.KERNEL32(000000FF,00000128), ref: 004080AD
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 004080C4
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 004080D9
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 004080EE
                                                  • CloseHandle.KERNEL32(?), ref: 004080FB
                                                  • CloseHandle.KERNEL32(000000FF,000000FF,00000128,00000002,00000000), ref: 00408121
                                                  • wsprintfA.USER32 ref: 0040813E
                                                  • DeleteFileA.KERNEL32(?), ref: 0040814E
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040815F
                                                  • FindClose.KERNEL32(000000FF), ref: 00408171
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseFileFind$FirstHandleProcesswsprintf$CreateDeleteNextOpenProcess32SnapshotTerminateToolhelp32lstrcmpi
                                                  • String ID: %s\%s$%s\*.*
                                                  • API String ID: 1369980460-1665845743
                                                  • Opcode ID: 3f998cd785e15b3527f197516405eb7423c30bb9f0503a18529e9006357a4cd9
                                                  • Instruction ID: ea53c5fd96921ad01a31edf6218f14bb861f14071c0f876fdce059dccc4c9808
                                                  • Opcode Fuzzy Hash: 3f998cd785e15b3527f197516405eb7423c30bb9f0503a18529e9006357a4cd9
                                                  • Instruction Fuzzy Hash: ED3133B1900218DBDB24DBA4CD49FEE7778AF48704F1045EDF609B6291DF349A858F58
                                                  Function 00403820 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 90stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(00403B0B,00401428), ref: 00403832
                                                  • FindFirstFileA.KERNEL32(00403B0B,?), ref: 00403843
                                                  • StrRChrA.SHLWAPI(00403B0B,00000000,0000005C), ref: 0040386E
                                                  • lstrcpynA.KERNEL32(?,00403B0B,00403B09), ref: 004038A2
                                                  • lstrcatA.KERNEL32(?,?), ref: 004038B6
                                                  • StrStrIA.SHLWAPI(?,.exe), ref: 004038E5
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00403902
                                                  • lstrlenA.KERNEL32(?), ref: 00403921
                                                  • FindNextFileA.KERNEL32(?,?), ref: 00403953
                                                  • FindClose.KERNEL32(?), ref: 00403968
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Find$Filelstrcat$CloseFirstNextlstrcpylstrcpynlstrlen
                                                  • String ID: .exe
                                                  • API String ID: 1387831469-4119554291
                                                  • Opcode ID: be771079bd26f772e2123ce8e145979ceb87963c16cad9fb2b1acb6a85155f10
                                                  • Instruction ID: d661d682cef3f2f825933373bb41032054d0c911eea3c748f87a86c65f168e53
                                                  • Opcode Fuzzy Hash: be771079bd26f772e2123ce8e145979ceb87963c16cad9fb2b1acb6a85155f10
                                                  • Instruction Fuzzy Hash: B33157B5900208EBC718DFB4ED49EDE7B78BB4C705F1085A9F605A72A0D7749A84CF58
                                                  Function 00408200 Relevance: 18.1, APIs: 12, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • StrCmpNIA.SHLWAPI(?,00411C48,00000000), ref: 0040827B
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ebd8a5826d7375546d8e0f87a1e0c0bfbefc22f0a430cb204545d2d5a56521e3
                                                  • Instruction ID: 34fce4635502969dd778c2ccc4cf352dc4c9547755eafa011bb96722b48ab323
                                                  • Opcode Fuzzy Hash: ebd8a5826d7375546d8e0f87a1e0c0bfbefc22f0a430cb204545d2d5a56521e3
                                                  • Instruction Fuzzy Hash: C2410D706002189BDB24DF65DE84BEA77B5BB48704F0045ADFA49B7290DB34AE90CF58
                                                  Function 00403980 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A860: GetCurrentProcess.KERNEL32(00000000), ref: 0040A878
                                                    • Part of subcall function 0040A860: IsWow64Process.KERNEL32(00000000), ref: 0040A87F
                                                  • SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 004039DD
                                                  • lstrcatA.KERNEL32(?,00401434), ref: 004039EF
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 00403A37
                                                  • lstrlenA.KERNEL32(?,00000008), ref: 00403A6B
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00403AA3
                                                  • lstrcpynA.KERNEL32(?,?,?), ref: 00403AE5
                                                  • lstrcatA.KERNEL32(?,?), ref: 00403AF9
                                                  • FindNextFileA.KERNEL32(?,?), ref: 00403B26
                                                  • FindClose.KERNEL32(?), ref: 00403B3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Find$FileProcesslstrcat$CloseCurrentFirstFolderNextPathWow64lstrcpynlstrlen
                                                  • String ID: &
                                                  • API String ID: 3059263463-1010288
                                                  • Opcode ID: dc001cd540902444730ef253120cedb9b1fc1eb8b0fc8ffdaac7b7344c9a13a5
                                                  • Instruction ID: 42f4055b325c1d06398864f7bbfddc1533fe572680981e87ebc7736d52fc66f9
                                                  • Opcode Fuzzy Hash: dc001cd540902444730ef253120cedb9b1fc1eb8b0fc8ffdaac7b7344c9a13a5
                                                  • Instruction Fuzzy Hash: E04190B1900218ABDB25DF60DC89FDA777CBB58304F0081E9E209BA290DAB55BC4CF94
                                                  Function 00405C20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 58filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(*.exe,?), ref: 00405C46
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00405C77
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00405CB0
                                                  • lstrcatA.KERNEL32(?,.gonewiththewings), ref: 00405CC2
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00405CD8
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00405CEC
                                                  • FindClose.KERNEL32(000000FF), ref: 00405D01
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseFirstMoveNextlstrcatlstrcpy
                                                  • String ID: *.exe$.gonewiththewings
                                                  • API String ID: 1705839981-2409806945
                                                  • Opcode ID: 9a9ce52e6d0cd0ead2e73bb0f4babde0c64bc7353541d2fcef1357409c4838fc
                                                  • Instruction ID: d76d9297c5d10eea4c3de792f6087032fe11fddff559d104623231cf311747b2
                                                  • Opcode Fuzzy Hash: 9a9ce52e6d0cd0ead2e73bb0f4babde0c64bc7353541d2fcef1357409c4838fc
                                                  • Instruction Fuzzy Hash: 57216D75900318ABCB24DBA0DC48FEA737CAB08700F4442A5F609BA1A0DB756B84CF94
                                                  Function 0040B540 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000002,00000000), ref: 0040B55F
                                                  • RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000004,00000000,00000004), ref: 0040B585
                                                  • RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorUser,00000000,00000004,00000001,00000004), ref: 0040B5A5
                                                  • RegSetValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 0040B5C5
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040B5CF
                                                  Strings
                                                  • ConsentPromptBehaviorUser, xrefs: 0040B59C
                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0040B555
                                                  • EnableLUA, xrefs: 0040B5BC
                                                  • ConsentPromptBehaviorAdmin, xrefs: 0040B57C
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseOpen
                                                  • String ID: ConsentPromptBehaviorAdmin$ConsentPromptBehaviorUser$EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                  • API String ID: 3241186055-378030391
                                                  • Opcode ID: 6096622f8efa0eb4646c176096bb78da1ee18d5cdb0e266ddcea149f3788d8aa
                                                  • Instruction ID: ce113f94c9f0577b1adec18612ea9d8bb79dac39bcddcddc3693635e649fb38f
                                                  • Opcode Fuzzy Hash: 6096622f8efa0eb4646c176096bb78da1ee18d5cdb0e266ddcea149f3788d8aa
                                                  • Instruction Fuzzy Hash: 98111EB9A40308BBE720DF90DE4AF9D7B78AB44B04F204158B700761D0C7F85A84DB58
                                                  Function 00405D90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69processfilestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(*.*,?), ref: 00405DA9
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00405DE9
                                                  • Process32First.KERNEL32(?,00000128), ref: 00405E02
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00405E15
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: First$CreateFileFindProcess32SnapshotToolhelp32lstrcmpi
                                                  • String ID: *.*
                                                  • API String ID: 2426144774-438819550
                                                  • Opcode ID: 45f577b866fd5698acc9e97c06d250e4f76669189426a8433e203d9a83fa2296
                                                  • Instruction ID: 20d9f2b21e0e7605d8d7e52da9510da8dcf13a44df1583057f50d6860835676e
                                                  • Opcode Fuzzy Hash: 45f577b866fd5698acc9e97c06d250e4f76669189426a8433e203d9a83fa2296
                                                  • Instruction Fuzzy Hash: 5D21A3719446189ADF20DBB1CC49BEBB7B8DB19304F0041EAA649B6190EA794B848F99
                                                  Function 00404AA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,00000000,00000498,00003000,00000004), ref: 00404AB9
                                                  • VirtualAllocEx.KERNEL32(?,00000000,00000160,00003000,00000040), ref: 00404AE3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID: pK@
                                                  • API String ID: 4275171209-3470878236
                                                  • Opcode ID: 513632a9c6e4bafa2d8c4e8f6a308e7751ed07fcea6ccffaa78045740d248521
                                                  • Instruction ID: 9a3d6aab1baeffcecf5c325061c8ca6178fae79cc51057a01cb9a7aaec3dc3da
                                                  • Opcode Fuzzy Hash: 513632a9c6e4bafa2d8c4e8f6a308e7751ed07fcea6ccffaa78045740d248521
                                                  • Instruction Fuzzy Hash: F72130B5A50208FFD700DBA4DD55FAB77B8A788700F10C565F709AB2E0D675AA80CB9C
                                                  Function 00405D10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(*.gonewiththewings,?), ref: 00405D25
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00405D48
                                                  • DeleteFileA.KERNEL32(?), ref: 00405D55
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00405D69
                                                  • FindClose.KERNEL32(000000FF), ref: 00405D7A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseDeleteFirstNext
                                                  • String ID: *.gonewiththewings
                                                  • API String ID: 1425421994-3334882037
                                                  • Opcode ID: ee4a9947e334562817353fb76ccda520204df8c50c109ae1e0c023ee0a057299
                                                  • Instruction ID: 354d54fa602f1f045afab2f80d02ca477a7350f967777b599ed394c4e8e76f60
                                                  • Opcode Fuzzy Hash: ee4a9947e334562817353fb76ccda520204df8c50c109ae1e0c023ee0a057299
                                                  • Instruction Fuzzy Hash: E2F0627450021D9BCB249B70DE48BEE7338FF08700F4086EAEA4DB11B0D63459448F55
                                                  Function 0040B660 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 0040B6B4
                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 0040B6C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ExecuteForegroundShellWindow
                                                  • String ID: -aav_start$<$@$runas
                                                  • API String ID: 2707725784-542670659
                                                  • Opcode ID: 2aee52bd306fd1ea68f2ed9d310a3e871ee365c0fca2a858079c27097d18f045
                                                  • Instruction ID: 552ba27d5b6e1dafa2a0629813981565f40a63efda770e11b68664f199341280
                                                  • Opcode Fuzzy Hash: 2aee52bd306fd1ea68f2ed9d310a3e871ee365c0fca2a858079c27097d18f045
                                                  • Instruction Fuzzy Hash: 9DF0AFB5D01308ABDB04EF91E9497DEBBB4EB44704F008129E904BA391DBB94508CF99
                                                  Function 00403F50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromString.OLE32({A5DCBF10-6530-11D2-901F-00C04FB951ED},?), ref: 00403F81
                                                  • RegisterDeviceNotificationA.USER32(?,00000020,00000000), ref: 00403F91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: DeviceFromNotificationRegisterString
                                                  • String ID: $@H3wP5w${A5DCBF10-6530-11D2-901F-00C04FB951ED}
                                                  • API String ID: 127757251-3071302313
                                                  • Opcode ID: 814bfbe37b979e61d8e9db6a540efc4823ed3f74601de960b62ef328dc568dd3
                                                  • Instruction ID: 6c502044654d5a850f253668880885ddb1d18f8aa2ed01388e1ad54aa2765daa
                                                  • Opcode Fuzzy Hash: 814bfbe37b979e61d8e9db6a540efc4823ed3f74601de960b62ef328dc568dd3
                                                  • Instruction Fuzzy Hash: 42F092B1D00309AFDB40DFE9D949BEEBBF8BB48301F10856AE509F6250E77456048FA5
                                                  Function 0040B6D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040B723
                                                  • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000101,?,00000010,?), ref: 0040B74F
                                                  • FreeSid.ADVAPI32(00000000,00000000,?,00000003,?,00000001), ref: 0040B77D
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AccountAllocateFreeInitializeLookup
                                                  • String ID:
                                                  • API String ID: 1191408634-0
                                                  • Opcode ID: e458cb356869598acf3c6a912fa2a698b53054e6c610977c12b385146b92276f
                                                  • Instruction ID: c541f1c119cac1b24df40ed77b3987ae88e88e7c978752145e21089370ffd771
                                                  • Opcode Fuzzy Hash: e458cb356869598acf3c6a912fa2a698b53054e6c610977c12b385146b92276f
                                                  • Instruction Fuzzy Hash: 62218171900248FAEB00DBD0CC89FEEBBB8EB44704F00809AE645BA1C0D3B85648CBA5
                                                  Function 0040A980 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 0040A98D
                                                  • OpenProcessToken.ADVAPI32(?,00000028,00000000), ref: 0040A9A0
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0040A9B0
                                                  • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 0040A9D4
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 2349140579-0
                                                  • Opcode ID: 6cfaa1cac5584581b2ff50d19e4709188c8525d7ad1b29c620ae9797b6a66b99
                                                  • Instruction ID: de4e8e3c8e36c3663356cd645217f922b84aef03e982c7c9e676338a7f81eb8a
                                                  • Opcode Fuzzy Hash: 6cfaa1cac5584581b2ff50d19e4709188c8525d7ad1b29c620ae9797b6a66b99
                                                  • Instruction Fuzzy Hash: 22F01275940208BBE700DFD0DD4AFEEBB78EB04705F108158FA0576190D6B156848B95
                                                  Function 0040B880 Relevance: 4.5, APIs: 3, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetUserNameW.ADVAPI32(?,000001FE), ref: 0040B8A9
                                                  • NetUserGetInfo.NETAPI32(00000000,?,00000001,00000000), ref: 0040B8C0
                                                  • NetApiBufferFree.NETAPI32(00000002,00000000,?,00000001,00000000), ref: 0040B8DB
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: User$BufferFreeInfoName
                                                  • String ID:
                                                  • API String ID: 1139369389-0
                                                  • Opcode ID: fd38afbc2d18aaa0d617b2971a8aa345088e713a13e61da002e0e1b1a9b47e38
                                                  • Instruction ID: a1817a107c125e3e78247a7fe6f1f04bf4c605f9e3b2faeb98e70cfeb0ba1384
                                                  • Opcode Fuzzy Hash: fd38afbc2d18aaa0d617b2971a8aa345088e713a13e61da002e0e1b1a9b47e38
                                                  • Instruction Fuzzy Hash: 84F0EC75D0010CEBDB10EBD4C849BEEB7B8EB14304F1086A9E515A7290D7B99A85CBD4
                                                  Function 0040B790 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NetUserEnum.NETAPI32(00000000,00000001,00000002,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 0040B7EC
                                                  • NetApiBufferFree.NETAPI32(00000000,00000000,00000001,00000002,00000000,FFFFFFFF,00000000,00000000,00000000), ref: 0040B873
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: BufferEnumFreeUser
                                                  • String ID:
                                                  • API String ID: 381629582-0
                                                  • Opcode ID: 7c00cb228996486d37852dacaf4afceb8d3a973d00a032db2322a18a750f9d2f
                                                  • Instruction ID: 646b47b5a3647b95e5dc7cd9fca45e2fb0822d622a4c178428a60b77b2376f85
                                                  • Opcode Fuzzy Hash: 7c00cb228996486d37852dacaf4afceb8d3a973d00a032db2322a18a750f9d2f
                                                  • Instruction Fuzzy Hash: AF31C271D00208DBDB14DF95C488BEEBBB8EB48318F24C56AD41176290D379A985CFA9
                                                  Function 0040B4F0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVersionExA.KERNEL32(0000009C), ref: 0040B520
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Version
                                                  • String ID:
                                                  • API String ID: 1889659487-0
                                                  • Opcode ID: 790fa05bcbffa1983cb1672e91345b14222041ca54e08430d82d269cd2f80c07
                                                  • Instruction ID: 932ef9020c906b728a5a680c662e22b57f5031be9496cb804444952bfe3e33fd
                                                  • Opcode Fuzzy Hash: 790fa05bcbffa1983cb1672e91345b14222041ca54e08430d82d269cd2f80c07
                                                  • Instruction Fuzzy Hash: C5E04871E1430CABE7209670AC05B5A73789705708F8001F5E549A51C1E77999548B9A
                                                  Function 00409060 Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 297stringfileregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 004090A3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004090AA
                                                    • Part of subcall function 0040B4F0: GetVersionExA.KERNEL32(0000009C), ref: 0040B520
                                                    • Part of subcall function 0040A860: GetCurrentProcess.KERNEL32(00000000), ref: 0040A878
                                                    • Part of subcall function 0040A860: IsWow64Process.KERNEL32(00000000), ref: 0040A87F
                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\calc.exe,000001FF), ref: 004090E6
                                                  • lstrlenA.KERNEL32(C:\Windows\SysWOW64\calc.exe), ref: 004090F1
                                                  • RegEnumKeyA.ADVAPI32(80000003,00000000,?,000000FF), ref: 00409196
                                                  • lstrcpyA.KERNEL32(?,?), ref: 004091B2
                                                  • lstrcatA.KERNEL32(?,00402678), ref: 004091C4
                                                  • lstrcatA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\Run), ref: 004091D6
                                                  • lstrcpyA.KERNEL32(?,?), ref: 00409214
                                                  • lstrcatA.KERNEL32(?,0040267C), ref: 00409226
                                                  • lstrcatA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\RunOnce), ref: 00409238
                                                    • Part of subcall function 0040B5E0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,004090D7), ref: 0040B61B
                                                    • Part of subcall function 0040B5E0: CheckTokenMembership.ADVAPI32(00000000,004090D7,00000000), ref: 0040B634
                                                    • Part of subcall function 0040B5E0: FreeSid.ADVAPI32(004090D7), ref: 0040B649
                                                    • Part of subcall function 00409660: RegOpenKeyExA.ADVAPI32(80000002,00409133,00000000,00000003,?), ref: 0040967C
                                                    • Part of subcall function 00409660: RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,?,00000100), ref: 00409702
                                                    • Part of subcall function 00409660: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 0040976E
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040934B
                                                  • wsprintfA.USER32 ref: 004093C1
                                                  • wsprintfA.USER32 ref: 004093E4
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 004093F6
                                                  • wsprintfA.USER32 ref: 00409449
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 00409460
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00409472
                                                  • DeleteFileA.KERNEL32(?), ref: 0040947F
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 00409495
                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 004094A4
                                                    • Part of subcall function 0040B1A0: SetLastError.KERNEL32(00000000), ref: 0040B1AB
                                                    • Part of subcall function 0040B1A0: RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,00000002,00000000,004094B6,00000000), ref: 0040B1D4
                                                    • Part of subcall function 0040B1A0: GetLastError.KERNEL32 ref: 0040B1DA
                                                    • Part of subcall function 0040B1A0: wsprintfA.USER32 ref: 0040B20A
                                                    • Part of subcall function 0040B1A0: lstrlenA.KERNEL32(?), ref: 0040B21A
                                                    • Part of subcall function 0040B1A0: RegSetValueExA.ADVAPI32(004094B6,Windows Update,00000000,00000001,?,?), ref: 0040B241
                                                    • Part of subcall function 0040B1A0: RegCloseKey.ADVAPI32(004094B6), ref: 0040B24B
                                                  • lstrcatA.KERNEL32(?,:Zone.Identifier), ref: 004094C5
                                                  • DeleteFileA.KERNEL32(?), ref: 004094D2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$lstrcat$wsprintf$AttributesCreateDeleteDirectoryEnumErrorLastModuleProcessValuelstrcpylstrlen$AddressAllocateCheckCloseCopyCurrentFolderFreeHandleInitializeMembershipNameOpenPathProcTokenVersionWindowsWow64
                                                  • String ID: %s\%s$%s\%s\%s.exe$:Zone.Identifier$C:\Windows\SysWOW64\calc.exe$IsWow64Process$Microsoft\Windows\%s$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$WindowsId$WindowsId$kernel32.dll
                                                  • API String ID: 3219722646-1546426466
                                                  • Opcode ID: beef410c0eeaa3cd994729938ec132a0dac5dfd0fa3af4c8403163f857210939
                                                  • Instruction ID: 8c35ea81fc483cf382c3dfb7aa194a5d8b3f8107efccdc3c64c988fe92d40c36
                                                  • Opcode Fuzzy Hash: beef410c0eeaa3cd994729938ec132a0dac5dfd0fa3af4c8403163f857210939
                                                  • Instruction Fuzzy Hash: 09B1BBB1940218B7E710EB61AD4AFD53338A754704F0444BDF705B50D2EABA5B98CFAD
                                                  Function 00407810 Relevance: 57.9, APIs: 20, Strings: 13, Instructions: 193registryfilestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetFileAttributesExA.KERNEL32(00000000,00000000,?), ref: 0040783D
                                                  • GetEnvironmentVariableA.KERNEL32(APPDATA,?,00000103), ref: 0040788B
                                                  • lstrcatA.KERNEL32(?,\Update), ref: 0040789D
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 004078AC
                                                  • lstrcatA.KERNEL32(?,\Explorer.exe), ref: 004078BE
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004078EB
                                                  • DeleteFileA.KERNEL32(?), ref: 004078F8
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040790E
                                                  • RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 00407925
                                                  • RegSetValueExA.ADVAPI32(?,Windows Explorer Manager,00000000,00000001,?,?), ref: 00407998
                                                  • RegCloseKey.ADVAPI32(?), ref: 004079A5
                                                  • SetLastError.KERNEL32(00000000), ref: 004079AD
                                                  • CreateMutexA.KERNEL32(00000000,00000000,SVCHOST_MUTEX_OBJECT_RELEASED_c000900), ref: 004079BC
                                                  • GetLastError.KERNEL32 ref: 004079C2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreateErrorLastlstrcat$CloseCopyDeleteDirectoryEnvironmentMutexOpenValueVariable
                                                  • String ID: %$APPDATA$C:\Windows\SysWOW64\calc.exe$D$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SVCHOST_MUTEX_OBJECT_RELEASED_c000900$Windows Explorer Manager$\Explorer.exe$\Update$\mspaint.exe$msiexec.exe$mspaint.exe$notepad.exe
                                                  • API String ID: 3000446578-3309621867
                                                  • Opcode ID: 6a27cae16d9297ecf3e3818fd34c9c15b0a272d0ac3ff044896ba6e32edb5d56
                                                  • Instruction ID: 03ed44d6aab3c2556b2d0f3d517fa6f8d3ad0be3d08b69e057b23719a354c65b
                                                  • Opcode Fuzzy Hash: 6a27cae16d9297ecf3e3818fd34c9c15b0a272d0ac3ff044896ba6e32edb5d56
                                                  • Instruction Fuzzy Hash: 2C7184B1A80314BFEB24DB90DD4AFD97778AB48B04F1040A5F349B91D1DAB46B84CF5A
                                                  Function 00405730 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 105libraryregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • VirtualQuery.KERNEL32(00405730,?,0000001C), ref: 0040577F
                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 00405790
                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0040579B
                                                  • LoadLibraryA.KERNEL32(shell32.dll), ref: 004057A6
                                                  • LoadLibraryA.KERNEL32(urlmon.dll), ref: 004057B1
                                                  • LoadLibraryA.KERNEL32(wininet.dll), ref: 004057BC
                                                  • LoadLibraryA.KERNEL32(gdi32.dll), ref: 004057C7
                                                  • LoadLibraryA.KERNEL32(rpcrt4.dll), ref: 004057D2
                                                  • LoadLibraryA.KERNEL32(netapi32.dll), ref: 004057DD
                                                  • GetTickCount.KERNEL32 ref: 00405821
                                                    • Part of subcall function 00404370: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004043DD
                                                    • Part of subcall function 00404370: wsprintfA.USER32 ref: 004043F6
                                                    • Part of subcall function 00404370: lstrlenA.KERNEL32(?), ref: 00404421
                                                    • Part of subcall function 00404370: GetDriveTypeA.KERNEL32(?), ref: 00404483
                                                    • Part of subcall function 00404370: wsprintfA.USER32 ref: 004044D8
                                                    • Part of subcall function 00404370: SetFileAttributesA.KERNEL32(?,00000080), ref: 004044ED
                                                    • Part of subcall function 00404370: DeleteFileA.KERNEL32(?), ref: 004044FA
                                                    • Part of subcall function 00404370: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00404519
                                                  • RegisterClassA.USER32(00000003), ref: 00405843
                                                  • CreateWindowExA.USER32(00000000,USBProc,USB,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00405872
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$File$Createwsprintf$AttributesClassCountDeleteDriveFolderPathQueryRegisterTickTypeVirtualWindowlstrlen
                                                  • String ID: USB$USBProc$USBProc$advapi32.dll$gdi32.dll$netapi32.dll$rpcrt4.dll$shell32.dll$urlmon.dll$user32.dll$wininet.dll
                                                  • API String ID: 2586757493-1785499669
                                                  • Opcode ID: 87d3682970b1747877619f99e9be894f4e5d1d76f12820f9a893daff511311fe
                                                  • Instruction ID: 6aa2f4f4a4dddc5d6469bb9334c0cd20751b64340f261ccd8b65e51faba3cf55
                                                  • Opcode Fuzzy Hash: 87d3682970b1747877619f99e9be894f4e5d1d76f12820f9a893daff511311fe
                                                  • Instruction Fuzzy Hash: 4B311275A41305ABE710AFE0DD4EB9E7B78EB48705F10803AF602BA2E0D7BC55048F59
                                                  Function 0040AC40 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 175registrystringprocessCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040ACAD
                                                    • Part of subcall function 0040A9E0: GetTickCount.KERNEL32 ref: 0040A9ED
                                                  • wsprintfA.USER32 ref: 0040ACD7
                                                  • wsprintfA.USER32 ref: 0040AD0B
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0040AD1D
                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 0040AD2A
                                                  • wsprintfA.USER32 ref: 0040AD67
                                                    • Part of subcall function 0040AC10: CoCreateGuid.OLE32(?), ref: 0040AC1A
                                                    • Part of subcall function 0040AC10: UuidToStringA.RPCRT4(?,?), ref: 0040AC28
                                                    • Part of subcall function 0040AC10: lstrcpyA.KERNEL32(?,?), ref: 0040AC36
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 0040ADC7
                                                  • lstrlenA.KERNEL32(?), ref: 0040ADD4
                                                  • RegSetValueExA.ADVAPI32(00000000,WindowsMark,00000000,00000001,?,00000000), ref: 0040ADF2
                                                  • lstrlenA.KERNEL32(004111B8), ref: 0040ADFD
                                                  • RegSetValueExA.ADVAPI32(00000000,WindowsId,00000000,00000001,004111B8,00000000), ref: 0040AE19
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040AE26
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 0040AE3A
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040AE50
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040AE5D
                                                  • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040AEBB
                                                  • ExitProcess.KERNEL32 ref: 0040AEC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Create$wsprintf$CloseDirectoryFileProcessValuelstrlen$CopyCountCurrentExitFolderGuidHandleModuleNamePathStringTickUuidlstrcpy
                                                  • String ID: %s\%s$%s\%s\%s.exe$D$Microsoft\Windows\%$Software\WindowsId Manager Reader$WindowsId$WindowsMark
                                                  • API String ID: 1366244133-3970825820
                                                  • Opcode ID: 9ef4626db0ad2da46e7d5ffd43cf9bb0791d763fcf463a4317c81df7a1c40459
                                                  • Instruction ID: 31f07c8ece4c739cbe0bd917b6663e6aaf4e143a2d164914912cd72f9a7120d8
                                                  • Opcode Fuzzy Hash: 9ef4626db0ad2da46e7d5ffd43cf9bb0791d763fcf463a4317c81df7a1c40459
                                                  • Instruction Fuzzy Hash: 2B5124B6A403147BE724DB90DC4EFDA7338AB48B05F0445A9B345B90E1EAB456C4CF69
                                                  Function 00404140 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 195librarycomfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVolumeInformationA.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00404170
                                                    • Part of subcall function 004040D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,004045A2), ref: 0040410D
                                                  • LoadLibraryA.KERNEL32(ole32.dll,CoInitializeEx), ref: 0040419A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 004041A1
                                                  • CoCreateInstance.OLE32(00403644,00000000,00000001,00403634,00000000), ref: 004041DA
                                                  • wsprintfA.USER32 ref: 00404237
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 004042FE
                                                  • DeleteFileW.KERNEL32(00000000), ref: 00404308
                                                  Strings
                                                  • CoInitializeEx, xrefs: 00404190
                                                  • %SystemRoot%\system32\SHELL32.dll, xrefs: 004042A5
                                                  • ole32.dll, xrefs: 00404195
                                                  • /c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit", xrefs: 0040422B
                                                  • %ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe, xrefs: 00404273
                                                  • %SystemRoot%\system32\SHELL32.dll, xrefs: 004042BC
                                                  • /c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit", xrefs: 0040425E
                                                  • C:\, xrefs: 0040416B
                                                  • P5w, xrefs: 004041DA
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$AddressAttributesCreateDeleteInformationInstanceLibraryLoadProcVolumelstrlenwsprintf
                                                  • String ID: %ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe$%SystemRoot%\system32\SHELL32.dll$%SystemRoot%\system32\SHELL32.dll$/c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"$/c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"$C:\$CoInitializeEx$P5w$ole32.dll
                                                  • API String ID: 2929663616-4271732726
                                                  • Opcode ID: 09efe8b1c337dfccd11135b723471cbcbda60fae172a11d52b075fb5ce88dd10
                                                  • Instruction ID: fbb9be6809ada01fc96e8a01bf1f1bbc34a428f8fc15b838987ad84d3cc87ebb
                                                  • Opcode Fuzzy Hash: 09efe8b1c337dfccd11135b723471cbcbda60fae172a11d52b075fb5ce88dd10
                                                  • Instruction Fuzzy Hash: 06714DB5A40209AFDB14DF94CC85FAF77B9AF88700F108159F715BB2E0D674AA41CBA4
                                                  Function 00408520 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 200threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 00408537
                                                  • CreateThread.KERNEL32(00000000,00000000,004083C0,00411828,00000000,00408BF8), ref: 004087C0
                                                  • CreateThread.KERNEL32(00000000,00000000,004083C0,00411620,00000000,?), ref: 004087DD
                                                  • CreateThread.KERNEL32(00000000,00000000,004083C0,0041140C,00000000,?), ref: 004087FA
                                                  • CreateThread.KERNEL32(00000000,00000000,004083C0,00411C40,00000000,?), ref: 00408817
                                                    • Part of subcall function 00407FE0: GetVersionExA.KERNEL32(00000094), ref: 00407FFA
                                                    • Part of subcall function 00408180: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 00408199
                                                    • Part of subcall function 00408180: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 004081AE
                                                    • Part of subcall function 00408180: wsprintfA.USER32 ref: 004081D1
                                                  • CreateThread.KERNEL32(00000000,00000000,00408020,00411308,00000000,^@), ref: 00408862
                                                  • CreateThread.KERNEL32(00000000,00000000,00408020,004110B0,00000000,?), ref: 0040887F
                                                  • WaitForMultipleObjects.KERNEL32(00000006,?,00000001,000000FF), ref: 00408892
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00408766
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 004087A2
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0040877A
                                                  • \Microsoft\Windows, xrefs: 004085D5
                                                  • \Update, xrefs: 004086A2
                                                  • ^@, xrefs: 0040884E, 00408851
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040878E
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CreateThread$FolderPathSpecial$MultipleObjectsVersionWaitwsprintf
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnce$\Microsoft\Windows$\Update$^@
                                                  • API String ID: 795435823-515337332
                                                  • Opcode ID: b82843b7d3ff884eb1bef8c79402aab55890f4a016f87d36340781a2755c2100
                                                  • Instruction ID: c4e4fa443f19332499a732193cb204527a8d5f723617a70594299cb751b2c918
                                                  • Opcode Fuzzy Hash: b82843b7d3ff884eb1bef8c79402aab55890f4a016f87d36340781a2755c2100
                                                  • Instruction Fuzzy Hash: A0A15774944358AFDB24CF24DD45BD9BBB0AB49704F1081EAE6487B3E1D7B52A84CF48
                                                  Function 0040AA40 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 114registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 0040AA82
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040AA98
                                                  • RegQueryValueExA.ADVAPI32(00000000,WindowsId,00000000,00000000,004111B8,00000040), ref: 0040AAEB
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040AB03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateQueryValue
                                                  • String ID: %s\%s$@$Software\WindowsId Manager Reader$WindowsId$WindowsMark
                                                  • API String ID: 2495337196-3824015250
                                                  • Opcode ID: b78df561d182bebfc48fd5293e36e507b1cfa2671cda862fd2c0af57198ec559
                                                  • Instruction ID: a667765b50789daffa6fd847540b56cdf908acb99e4b61ae21f8836eec6870f4
                                                  • Opcode Fuzzy Hash: b78df561d182bebfc48fd5293e36e507b1cfa2671cda862fd2c0af57198ec559
                                                  • Instruction Fuzzy Hash: F941A8B1900214ABE720DB90DD89FEA7378AB58701F1041E9B789B91D0D7F86AC48F5D
                                                  Function 00407C60 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 84sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407D90: LoadLibraryW.KERNEL32 ref: 00407DB3
                                                  • SetLastError.KERNEL32(00000000), ref: 00407C6D
                                                  • CreateMutexA.KERNEL32(00000000,00000000,MonitorSvchost_MUTEX_OBJECT_RELEASED_c000900), ref: 00407C7C
                                                  • GetLastError.KERNEL32 ref: 00407C82
                                                  • ExitProcess.KERNEL32 ref: 00407C91
                                                  • GetProcessVersion.KERNEL32(000006D4), ref: 00407CAB
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,C:\Windows\SysWOW64\calc.exe), ref: 00407CF6
                                                  • lstrcatA.KERNEL32(C:\Windows\SysWOW64\calc.exe,\svchost.exe), ref: 00407D06
                                                  • CreateProcessA.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00407D4E
                                                  • Sleep.KERNEL32(000003E8), ref: 00407D75
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateErrorLast$ExitFolderLibraryLoadMutexPathSleepVersionlstrcat
                                                  • String ID: %$C:\Windows\SysWOW64\calc.exe$D$MonitorSvchost_MUTEX_OBJECT_RELEASED_c000900$\svchost.exe
                                                  • API String ID: 1779936777-589066060
                                                  • Opcode ID: 4e7951339387b767b03e3b5459851cf817f3703a4fa7f0b3fa8dc69adcc5f149
                                                  • Instruction ID: e0d32afec2320e33bf0c0e9998b81b96b68c58425f7897560af518dae8a2dad1
                                                  • Opcode Fuzzy Hash: 4e7951339387b767b03e3b5459851cf817f3703a4fa7f0b3fa8dc69adcc5f149
                                                  • Instruction Fuzzy Hash: 3F212471F84304BBF714AB909D0FFAA7764AB48B05F240126F705BD1D1D6F96940865E
                                                  Function 00407B10 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 84sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407D90: LoadLibraryW.KERNEL32 ref: 00407DB3
                                                  • SetLastError.KERNEL32(00000000), ref: 00407B20
                                                  • CreateMutexA.KERNEL32(00000000,00000000,MonitorPaint_MUTEX_OBJECT_RELEASED_c000900), ref: 00407B2F
                                                  • GetLastError.KERNEL32 ref: 00407B35
                                                  • ExitProcess.KERNEL32 ref: 00407B44
                                                  • GetProcessVersion.KERNEL32(00000000), ref: 00407B5E
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,C:\Windows\SysWOW64\calc.exe), ref: 00407BB2
                                                  • lstrcatA.KERNEL32(C:\Windows\SysWOW64\calc.exe,\mspaint.exe), ref: 00407BC2
                                                  • CreateProcessA.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 00407C19
                                                  • Sleep.KERNEL32(000003E8), ref: 00407C46
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateErrorLast$ExitFolderLibraryLoadMutexPathSleepVersionlstrcat
                                                  • String ID: %$C:\Windows\SysWOW64\calc.exe$D$MonitorPaint_MUTEX_OBJECT_RELEASED_c000900$\mspaint.exe
                                                  • API String ID: 1779936777-2449296330
                                                  • Opcode ID: ee5e68dc991affbb127676cc6386367b8ca73b48ca72b39743b9f37f64e4d984
                                                  • Instruction ID: ba99bc354057d66eb0d4294c6c72263c55f53aba11e24846b0ca504a620238c0
                                                  • Opcode Fuzzy Hash: ee5e68dc991affbb127676cc6386367b8ca73b48ca72b39743b9f37f64e4d984
                                                  • Instruction Fuzzy Hash: 5B316570EC430467F7246B50AD4BF993774A748B05F104166F7097D1D1D6F969808E6E
                                                  Function 00404825 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 0040491E
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 00404933
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 00404945
                                                    • Part of subcall function 00404140: GetVolumeInformationA.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00404170
                                                    • Part of subcall function 00404140: LoadLibraryA.KERNEL32(ole32.dll,CoInitializeEx), ref: 0040419A
                                                    • Part of subcall function 00404140: GetProcAddress.KERNEL32(00000000), ref: 004041A1
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 0040497C
                                                  • SetFileAttributesA.KERNEL32(?,00000005), ref: 0040498B
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 0040499F
                                                  • wsprintfA.USER32 ref: 004049C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004049DC
                                                  • DeleteFileA.KERNEL32(?), ref: 004049E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 004049FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 00404A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 00404A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$lstrlen$AddressByteCharCopyCreateDeleteFindInformationLibraryLoadMultiNextProcVolumeWidewsprintf
                                                  • String ID: %s\%s
                                                  • API String ID: 1757339674-4073750446
                                                  • Opcode ID: 23fa19bc1538dd12fbcf9ace5d4b628790313e7dd6ef5f7a18b242c5b6d06026
                                                  • Instruction ID: 5707054bfd6de1dc005fb0b5adb5acdf3c1d84e703ec4b0ad876e49fe48b7746
                                                  • Opcode Fuzzy Hash: 23fa19bc1538dd12fbcf9ace5d4b628790313e7dd6ef5f7a18b242c5b6d06026
                                                  • Instruction Fuzzy Hash: 2A3165B2904258ABDB24DBA0DD48FDA7778FB48700F4085DAB349F50A0EB746784CF55
                                                  Function 004036F0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 75threadlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407D90: LoadLibraryW.KERNEL32 ref: 00407DB3
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 00403705
                                                  • GetProcAddress.KERNEL32(00000000), ref: 0040370C
                                                  • SetLastError.KERNEL32(00000000), ref: 00403719
                                                  • CreateMutexA.KERNEL32(00000000,00000000,AAVkillllerrrsdadc000900), ref: 00403728
                                                  • GetLastError.KERNEL32 ref: 0040372E
                                                  • ExitProcess.KERNEL32 ref: 0040373D
                                                  • GetCurrentProcessId.KERNEL32 ref: 00403743
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000036A0,00000000,00000000,00000000), ref: 0040375D
                                                  • CreateThread.KERNEL32(00000000,00000000,00403CD0,00000000,00000000,00000000), ref: 004037F6
                                                  • CreateThread.KERNEL32(00000000,00000000,00403B60,00000000,00000000,00000000), ref: 0040380E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Create$Thread$ErrorLastProcess$AddressCurrentExitHandleLibraryLoadModuleMutexProc
                                                  • String ID: AAVkillllerrrsdadc000900$IsWow64Process$kernel32.dll
                                                  • API String ID: 287773984-3869063687
                                                  • Opcode ID: e28acdcbe322c968b2d53e562acce931b8773580a294b4540a8b90e6ffb142b7
                                                  • Instruction ID: b8bf65c5dc3f78f05b5b1383a34b86d275f32cf4d6e166420d685c8036ff2d74
                                                  • Opcode Fuzzy Hash: e28acdcbe322c968b2d53e562acce931b8773580a294b4540a8b90e6ffb142b7
                                                  • Instruction Fuzzy Hash: CD21AC74A84704BBF3246FA1FD0BB543A64AB08B06F208136F705BD6E1DBF925448A5D
                                                  Function 00407DD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessVersion.KERNEL32(00000000), ref: 00407DED
                                                  • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 00407E81
                                                  • lstrcatW.KERNEL32(?,\charmap.exe), ref: 00407E93
                                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00407EDC
                                                  • lstrcatW.KERNEL32(?,\Windows Media Player\wmprph.exe), ref: 00407EEE
                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 00407F14
                                                  • ExitProcess.KERNEL32 ref: 00407F2F
                                                    • Part of subcall function 0040A860: GetCurrentProcess.KERNEL32(00000000), ref: 0040A878
                                                    • Part of subcall function 0040A860: IsWow64Process.KERNEL32(00000000), ref: 0040A87F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process$FolderPathlstrcat$CreateCurrentExitVersionWow64
                                                  • String ID: &$D$WindowsSecondaryDesktop$\Windows Media Player\wmprph.exe$\charmap.exe
                                                  • API String ID: 920241506-2392492338
                                                  • Opcode ID: b00b75977889afdc0515e12ef570fda252ef5340b6758540f2d113666a13d6c0
                                                  • Instruction ID: d56608f253ea54267f67195f27f3eca48070975def5183a206c84f91d5e852d3
                                                  • Opcode Fuzzy Hash: b00b75977889afdc0515e12ef570fda252ef5340b6758540f2d113666a13d6c0
                                                  • Instruction Fuzzy Hash: B731A471A54308BAEB10DBA1DD4EFAE7738AB04704F104265F304BE1D1EBB96E448B5A
                                                  Function 00409510 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 63registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(00000000,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040953F
                                                  • GetLastError.KERNEL32 ref: 00409545
                                                  • RegSetValueExA.ADVAPI32(?,DisableLocalMachineRun,00000000,00000004,00000001,00000004), ref: 00409562
                                                  • RegSetValueExA.ADVAPI32(?,DisableCurrentUserRun,00000000,00000004,00000001,00000004), ref: 0040957B
                                                  • RegSetValueExA.ADVAPI32(?,DisableLocalMachineRunOnce,00000000,00000004,00000001,00000004), ref: 00409594
                                                  • RegSetValueExA.ADVAPI32(?,DisableCurrentUserRunOnce,00000000,00000004,00000001,00000004), ref: 004095AD
                                                  • RegCloseKey.ADVAPI32(?), ref: 004095B7
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 00409536
                                                  • DisableCurrentUserRunOnce, xrefs: 004095A4
                                                  • DisableLocalMachineRun, xrefs: 00409559
                                                  • DisableLocalMachineRunOnce, xrefs: 0040958B
                                                  • DisableCurrentUserRun, xrefs: 00409572
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseCreateErrorLast
                                                  • String ID: DisableCurrentUserRun$DisableCurrentUserRunOnce$DisableLocalMachineRun$DisableLocalMachineRunOnce$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                  • API String ID: 4022192774-437252294
                                                  • Opcode ID: 663edfdf296410c5bb2c2ce1c7f5328dee2b5fcd290e097d9ad64faeac7c6d52
                                                  • Instruction ID: 606c40480729363ef0db3d8d5c4f1bf637bef7b53e117718dd3cc0a294092a1d
                                                  • Opcode Fuzzy Hash: 663edfdf296410c5bb2c2ce1c7f5328dee2b5fcd290e097d9ad64faeac7c6d52
                                                  • Instruction Fuzzy Hash: 5A11FEB5A80308BBE720DF90CC4AFAE7738AB44B00F104569B761BA5E0D7B4A544CB98
                                                  Function 004095D0 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 41registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000,004092D2,80000002), ref: 004095D8
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00409603
                                                  • GetLastError.KERNEL32 ref: 00409609
                                                  • RegDeleteValueA.ADVAPI32(?,DisableLocalMachineRun), ref: 0040961C
                                                  • RegDeleteValueA.ADVAPI32(?,DisableCurrentUserRun), ref: 0040962B
                                                  • RegDeleteValueA.ADVAPI32(?,DisableLocalMachineRunOnce), ref: 0040963A
                                                  • RegDeleteValueA.ADVAPI32(?,DisableCurrentUserRunOnce), ref: 00409649
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 004095FA
                                                  • DisableCurrentUserRunOnce, xrefs: 00409640
                                                  • DisableLocalMachineRun, xrefs: 00409613
                                                  • DisableLocalMachineRunOnce, xrefs: 00409631
                                                  • DisableCurrentUserRun, xrefs: 00409622
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: DeleteValue$ErrorLast$Create
                                                  • String ID: DisableCurrentUserRun$DisableCurrentUserRunOnce$DisableLocalMachineRun$DisableLocalMachineRunOnce$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                  • API String ID: 3522162313-437252294
                                                  • Opcode ID: 574682cb93caa0fd2d08dca9ab167350086bb059a5a151329aae17decd17dc52
                                                  • Instruction ID: b2ca9487a47d0d1f468b86c234a546429709b410bd41a7179c6f19bbdf934fa1
                                                  • Opcode Fuzzy Hash: 574682cb93caa0fd2d08dca9ab167350086bb059a5a151329aae17decd17dc52
                                                  • Instruction Fuzzy Hash: 6101FB75A40248BBDB10DFE0DE4AF9A7B78AB08B01F100575F705BA5E1DAB4A5448B58
                                                  Function 00403B60 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00403B6B
                                                  • GetProcAddress.KERNEL32(?,GetExtendedTcpTable), ref: 00403B7D
                                                  • GetProcAddress.KERNEL32(?,GetOwnerModuleFromTcpEntry), ref: 00403B8F
                                                  • GetProcessHeap.KERNEL32 ref: 00403B98
                                                  • VirtualAlloc.KERNEL32(00000000,0000400C,00003000,00000004), ref: 00403BAF
                                                  • VirtualAlloc.KERNEL32(00000000,0000400C,00003000,00000004), ref: 00403BC6
                                                  • SetTcpEntry.IPHLPAPI(0000000C), ref: 00403C88
                                                  • Sleep.KERNEL32(00000064), ref: 00403CB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AddressAllocProcVirtual$EntryHeapLibraryLoadProcessSleep
                                                  • String ID: GetExtendedTcpTable$GetOwnerModuleFromTcpEntry$iphlpapi.dll
                                                  • API String ID: 3003257622-3337519260
                                                  • Opcode ID: e1a6c0fe23d325a99b1a91aa6f61399235ef8a28adc714145d4753b729db9a2a
                                                  • Instruction ID: 271d9c85a4bb4ef05d89616e65d45afaf7df3e1c1709bf0086beccc833827dd6
                                                  • Opcode Fuzzy Hash: e1a6c0fe23d325a99b1a91aa6f61399235ef8a28adc714145d4753b729db9a2a
                                                  • Instruction Fuzzy Hash: F4412B74E00208EFEB18DF94D945BAEBBB1FB48701F208169EA01BB3D0D7759A40CB59
                                                  Function 004088A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 74filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 004088B6
                                                  • wsprintfA.USER32 ref: 004088D6
                                                    • Part of subcall function 0040A9E0: GetTickCount.KERNEL32 ref: 0040A9ED
                                                  • wsprintfA.USER32 ref: 00408911
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00408926
                                                  • MoveFileA.KERNEL32(?,?), ref: 0040893A
                                                  • GetLastError.KERNEL32 ref: 00408949
                                                  • lstrlenA.KERNEL32(?), ref: 00408981
                                                  • SHFileOperationA.SHELL32(?), ref: 004089B1
                                                  • MoveFileA.KERNEL32(?,00000000), ref: 004089C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$Movewsprintf$AttributesCountErrorFolderLastOperationPathSpecialTicklstrlen
                                                  • String ID: %s\%s$%s\Recycler
                                                  • API String ID: 1234021666-2144182538
                                                  • Opcode ID: 279f28c5805f63a8d59b4727eeab5f5c586045673b72159250d98c3e1b1e49d5
                                                  • Instruction ID: e378ad927511b989af0bab4c3304993050f75f72216a94f6b96cd3f6d8333fba
                                                  • Opcode Fuzzy Hash: 279f28c5805f63a8d59b4727eeab5f5c586045673b72159250d98c3e1b1e49d5
                                                  • Instruction Fuzzy Hash: 66319C7185021CABDB21DB60DC8DFE9777CAB18700F4045E9E608B6191EBB46BC88F65
                                                  Function 0040A6E0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040A6EB
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040A713
                                                  • GetLastError.KERNEL32 ref: 0040A719
                                                  • wsprintfA.USER32 ref: 0040A749
                                                  • lstrlenA.KERNEL32(?), ref: 0040A759
                                                  • RegSetValueExA.ADVAPI32(?,Shell,00000000,00000001,?,?), ref: 0040A780
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040A78A
                                                  Strings
                                                  • Shell, xrefs: 0040A777
                                                  • "%s" -shell, xrefs: 0040A73D
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0040A70A
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon
                                                  • API String ID: 2854385000-819943716
                                                  • Opcode ID: 8200fd248a0f6c52fd6822808af0ce95bf219817223617a0e6200ee554174798
                                                  • Instruction ID: 12299d9f3acdf5e42ec95f2032aa18fc2be6fc9d0a040067eaeb0394221cc547
                                                  • Opcode Fuzzy Hash: 8200fd248a0f6c52fd6822808af0ce95bf219817223617a0e6200ee554174798
                                                  • Instruction Fuzzy Hash: A5112179A40308BBD724DB90DD4AFD97778AB48700F1041A5F745BA1D0DAF46AC48F99
                                                  Function 00405660 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0040568E
                                                  • lstrcatA.KERNEL32(?,\ScreenSaverPro.scr), ref: 004056A0
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 004056B2
                                                  • DeleteFileA.KERNEL32(?), ref: 004056BF
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 004056EA
                                                  • lstrcatA.KERNEL32(?,\temp.bin), ref: 004056FC
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040570E
                                                  • DeleteFileA.KERNEL32(?), ref: 0040571B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesDeleteFolderPathlstrcat
                                                  • String ID: \ScreenSaverPro.scr$\temp.bin
                                                  • API String ID: 1210350844-1406291079
                                                  • Opcode ID: 05805bfa7d038fbc79f0fd86365a93916fc77a7f2e3d7860662ce7296810998b
                                                  • Instruction ID: c03751a838cb0558edf06eb0459ccfaf18fbed488edc14e6d4572f57baee86d5
                                                  • Opcode Fuzzy Hash: 05805bfa7d038fbc79f0fd86365a93916fc77a7f2e3d7860662ce7296810998b
                                                  • Instruction Fuzzy Hash: 321137B568430877D710DBA0DD8EFD57338AB18701F400495B785F90D0EAF456C88F55
                                                  Function 0040B000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 54registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040B00B
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040B034
                                                  • GetLastError.KERNEL32 ref: 0040B03A
                                                  • wsprintfA.USER32 ref: 0040B06A
                                                  • lstrlenA.KERNEL32(?), ref: 0040B07A
                                                  • RegSetValueExA.ADVAPI32(?,Windows Update,00000000,00000001,?,?), ref: 0040B0A1
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040B0AB
                                                  Strings
                                                  • "%s" -shell, xrefs: 0040B05E
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0040B02A
                                                  • Windows Update, xrefs: 0040B098
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Software\Microsoft\Windows\CurrentVersion\RunOnce$Windows Update
                                                  • API String ID: 2854385000-4182519842
                                                  • Opcode ID: 2ab1504ff2415f4b12816492fd75c9f95fae5eb5057bf6113b7cecdd24260823
                                                  • Instruction ID: 556e25b19854b7da88d313f498740bf6149eb8744cdea27832effb6f7b197a3f
                                                  • Opcode Fuzzy Hash: 2ab1504ff2415f4b12816492fd75c9f95fae5eb5057bf6113b7cecdd24260823
                                                  • Instruction Fuzzy Hash: 26115279A40304BBE720DB90DD4AFDA7738AB58B00F1041A5F745BA1D0DBF46AC49FA9
                                                  Function 0040B1A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 54registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040B1AB
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,00000002,00000000,004094B6,00000000), ref: 0040B1D4
                                                  • GetLastError.KERNEL32 ref: 0040B1DA
                                                  • wsprintfA.USER32 ref: 0040B20A
                                                  • lstrlenA.KERNEL32(?), ref: 0040B21A
                                                  • RegSetValueExA.ADVAPI32(004094B6,Windows Update,00000000,00000001,?,?), ref: 0040B241
                                                  • RegCloseKey.ADVAPI32(004094B6), ref: 0040B24B
                                                  Strings
                                                  • Windows Update, xrefs: 0040B238
                                                  • "%s" -shell, xrefs: 0040B1FE
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 0040B1CA
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Windows Update
                                                  • API String ID: 2854385000-1476424916
                                                  • Opcode ID: 2b485933087b5175f5019ea39bea4b3f6a833dabbcdcb27781a3ab565d97c78c
                                                  • Instruction ID: b2efbb2d464ce1b786fdbd996320a454fedccc807762ba2ff36dfb7c51c01623
                                                  • Opcode Fuzzy Hash: 2b485933087b5175f5019ea39bea4b3f6a833dabbcdcb27781a3ab565d97c78c
                                                  • Instruction Fuzzy Hash: E3113379A40204BBE720DB90DD4AFD97738AB54701F1041A5B745BA1D0DBF46AC48F99
                                                  Function 0040BD10 Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 93stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(00000000,o1xg.org), ref: 0040BD30
                                                  • lstrcmpA.KERNEL32(00000000,oxxtxxt.biz), ref: 0040BD43
                                                  • lstrcmpA.KERNEL32(00000000,oeob.me), ref: 0040BD56
                                                  • lstrcmpA.KERNEL32(00000000,00412438), ref: 0040BD6D
                                                  • lstrcmpA.KERNEL32(00412438,impossible), ref: 0040BD81
                                                  • lstrcpyA.KERNEL32(00412438,00000000), ref: 0040BDD1
                                                  • SetLastError.KERNEL32(00000000), ref: 0040BDF6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: lstrcmp$ErrorLastlstrcpy
                                                  • String ID: impossible$o1xg.org$oeob.me$oxxtxxt.biz
                                                  • API String ID: 3502371415-2041036455
                                                  • Opcode ID: 71c1200394823e95c3cf4252700ef0762d05540a373f95b25e73d3b5a1574f91
                                                  • Instruction ID: d872db33c897460a84c569533fdee69d212669c608757179ad06897cdc042196
                                                  • Opcode Fuzzy Hash: 71c1200394823e95c3cf4252700ef0762d05540a373f95b25e73d3b5a1574f91
                                                  • Instruction Fuzzy Hash: EB310974A00209EBDB14DFA5EA45B9A7BB5FF48704F10813AF915AB3A0C7789950CF9C
                                                  Function 00409660 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 199registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,00409133,00000000,00000003,?), ref: 0040967C
                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,?,00000100), ref: 00409702
                                                  • StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 0040976E
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 004098BB
                                                  • RegCloseKey.ADVAPI32(?), ref: 00409955
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseEnumOpenValue
                                                  • String ID: :Zone.Identifier
                                                  • API String ID: 4012628704-2436405130
                                                  • Opcode ID: d2c3fe7cc40197fa3e81b465f0a71fafbbb3b46e48184fb3c7b74835ea325dd8
                                                  • Instruction ID: 68c6fd8061445d74a47e51b6e0bc5891f3e1e1f11f7d33bdb168ce35fe37381d
                                                  • Opcode Fuzzy Hash: d2c3fe7cc40197fa3e81b465f0a71fafbbb3b46e48184fb3c7b74835ea325dd8
                                                  • Instruction Fuzzy Hash: 2A8131B6D00218ABDB24DF90DC85FDA7378BB58304F0445E9E249A6281D7B59FC4CF99
                                                  Function 0040A7A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040A7AB
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040A7D3
                                                  • GetLastError.KERNEL32 ref: 0040A7D9
                                                  • wsprintfA.USER32 ref: 0040A809
                                                  • lstrlenA.KERNEL32(?), ref: 0040A819
                                                  • RegSetValueExA.ADVAPI32(?,004111B8,00000000,00000001,?,?), ref: 0040A840
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040A84A
                                                  Strings
                                                  • "%s" -bind, xrefs: 0040A7FD
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040A7CA
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -bind$Software\Microsoft\Windows\CurrentVersion\Run
                                                  • API String ID: 2854385000-1962850063
                                                  • Opcode ID: 5a19961b216faa5d25f8b84906418df53b5452555b48ea9d8c35323b5a1026d2
                                                  • Instruction ID: 6ee20d38c4b2ab6eb78e02fa4e7674e947b46c8e286a1680c7ea6a0e8e843532
                                                  • Opcode Fuzzy Hash: 5a19961b216faa5d25f8b84906418df53b5452555b48ea9d8c35323b5a1026d2
                                                  • Instruction Fuzzy Hash: 7A113375A40308BBD724DFA0DD4AFD97738AB48B00F1041A5B745BA1D0DBF46AC48F99
                                                  Function 00407F40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(C:\log.txt,00000004,00000001,00000000,00000003,00000080,00000000), ref: 00407F5A
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00407F6D
                                                  • CreateFileA.KERNEL32(C:\log.txt,00000002,00000001,00000000,00000001,00000080,00000000), ref: 00407F87
                                                  • WriteFile.KERNEL32(000000FF,0040241C,00000002,?,00000000), ref: 00407FA1
                                                  • lstrlenA.KERNEL32(000000FF,?,00000000), ref: 00407FB1
                                                  • WriteFile.KERNEL32(000000FF,000000FF,00000000), ref: 00407FC0
                                                  • CloseHandle.KERNEL32(000000FF), ref: 00407FCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleWrite$lstrlen
                                                  • String ID: C:\log.txt$C:\log.txt
                                                  • API String ID: 2678504728-3239557954
                                                  • Opcode ID: cf1f2638564e73cbb2b718d316f24c6a20f823d7431063a226dd065ebeb13f83
                                                  • Instruction ID: 502941f35c4602e10d81742b17a77d31ff1de2645725562a3e8a2ebee1b60c21
                                                  • Opcode Fuzzy Hash: cf1f2638564e73cbb2b718d316f24c6a20f823d7431063a226dd065ebeb13f83
                                                  • Instruction Fuzzy Hash: 28112D75A80304BBEB24DBE0DD8EFDD7B78AB08B11F104165F741BA2D0DAB066808B58
                                                  Function 0040A8A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70processstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0040A8F5
                                                  • lstrcatA.KERNEL32(?,00402720), ref: 0040A907
                                                  • lstrcatA.KERNEL32(?,userinit.exe), ref: 0040A919
                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040A945
                                                  • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0040A968
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CreateProcesslstrcat$FolderPath
                                                  • String ID: D$explorer.exe$userinit.exe
                                                  • API String ID: 3442338259-24035540
                                                  • Opcode ID: 405c74230e7fd62e76907c8d6a9f36c2966c6e7a5a79d25ecad16cb9204dac97
                                                  • Instruction ID: 1772130221cfbba0dcf42f877001c135be97f58ac25b8c17c234b3842e063620
                                                  • Opcode Fuzzy Hash: 405c74230e7fd62e76907c8d6a9f36c2966c6e7a5a79d25ecad16cb9204dac97
                                                  • Instruction Fuzzy Hash: 191151B1A40348BAE714DBE0DC4EFEA7738AB48B01F000569F705BD1C1EBB46588CB69
                                                  Function 0040BBE0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcpyA.KERNEL32(00412438,impossible), ref: 0040BC0E
                                                  • LoadLibraryW.KERNEL32(dnsapi.dll), ref: 0040BC19
                                                  • GetProcAddress.KERNEL32(?,DnsQuery_A), ref: 0040BC5D
                                                  • GetProcAddress.KERNEL32(?,DnsFree), ref: 0040BC6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadlstrcpy
                                                  • String ID: DnsFree$DnsQuery_A$dnsapi.dll$impossible
                                                  • API String ID: 3626614484-559448556
                                                  • Opcode ID: 4733c4bb93391e3fdd33e1b8b560b23becf734d8e585d2fcf7fcf55c0f10ec77
                                                  • Instruction ID: e23a3876d2fc1322a7926d60f8ebee7f821fb7d8447dcc26167fbd9c2565ae8b
                                                  • Opcode Fuzzy Hash: 4733c4bb93391e3fdd33e1b8b560b23becf734d8e585d2fcf7fcf55c0f10ec77
                                                  • Instruction Fuzzy Hash: 7B1182B4E40208BBE700EF94ED46BAEB774EB04704F50457AFA00762D1D7B966508B9D
                                                  Function 00409FE0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49stringregistryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesA.KERNEL32(004098F9,00000080), ref: 00409FF2
                                                  • DeleteFileA.KERNEL32(004098F9), ref: 00409FFC
                                                  • lstrcpyA.KERNEL32(?,004098F9), ref: 0040A027
                                                  • StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 0040A038
                                                  • lstrcpyA.KERNEL32(00000000,.quarantined), ref: 0040A059
                                                  • MoveFileExA.KERNEL32(004098F9,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0040A06C
                                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 0040A07A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: File$Deletelstrcpy$AttributesMoveValue
                                                  • String ID: .quarantined
                                                  • API String ID: 1367357117-1160447256
                                                  • Opcode ID: 358f06373526a004a13695236903058dd93dfaa6b24e980cdadfdfc3320927ff
                                                  • Instruction ID: b06d8a62bb51c74e30fd73589a6153124daa912ee08b0026575777d78cdb6adb
                                                  • Opcode Fuzzy Hash: 358f06373526a004a13695236903058dd93dfaa6b24e980cdadfdfc3320927ff
                                                  • Instruction Fuzzy Hash: 131165B5500308ABD714DF60DD49FEA3378BB5C700F044558FB45E6290D6B59980CF54
                                                  Function 0040B120 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 41registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040B12B
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00000002,00000000,004050CD,00000000), ref: 0040B154
                                                  • GetLastError.KERNEL32 ref: 0040B15A
                                                  • lstrlenA.KERNEL32(004050CD), ref: 0040B168
                                                  • RegSetValueExA.ADVAPI32(004050CD,Windows Update,00000000,00000001,004050CD,?), ref: 0040B18C
                                                  • RegCloseKey.ADVAPI32(004050CD), ref: 0040B196
                                                  Strings
                                                  • Windows Update, xrefs: 0040B183
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040B14A
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlen
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$Windows Update
                                                  • API String ID: 1542516886-1771306399
                                                  • Opcode ID: 1c769485163e752d408cd98cd351faad1c9afa2e1099074f2b083416f7850bfe
                                                  • Instruction ID: ff0eb0bab796f5a15c1a8f25112661dd78019264e13eb45a5f685d47d0a9e38d
                                                  • Opcode Fuzzy Hash: 1c769485163e752d408cd98cd351faad1c9afa2e1099074f2b083416f7850bfe
                                                  • Instruction Fuzzy Hash: 1F013679640308BBE720DF90DD4AFDA7B78EB48701F104165B745BA2E0D7B469848F98
                                                  Function 0040B8F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000001,00000000), ref: 0040B90F
                                                  • RegQueryValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000000,FFFFFFFF,00000004), ref: 0040B947
                                                  • RegQueryValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000000,FFFFFFFF,00000004), ref: 0040B979
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040B983
                                                  Strings
                                                  • EnableLUA, xrefs: 0040B970
                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0040B905
                                                  • ConsentPromptBehaviorAdmin, xrefs: 0040B93E
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$CloseOpen
                                                  • String ID: ConsentPromptBehaviorAdmin$EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                  • API String ID: 1586453840-3936960567
                                                  • Opcode ID: d22679c791e6e83cb90e9c0e5f1c06c46060fd663bad09286a760ccf1e0531cd
                                                  • Instruction ID: f877f38f0c53b79d184a8e4c7716833822dee599e09b99e8d386ba1bc28bfdd7
                                                  • Opcode Fuzzy Hash: d22679c791e6e83cb90e9c0e5f1c06c46060fd663bad09286a760ccf1e0531cd
                                                  • Instruction Fuzzy Hash: B2113DB590020DFBDB10DFD4CD49BEEB778EB04300F204669E211B62D0D3B85A48CB99
                                                  Function 0040AF40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040AF68
                                                  • GetLastError.KERNEL32 ref: 0040AF6E
                                                  • RegSetValueExA.ADVAPI32(?,Shell,00000000,00000001,explorer.exe,0000000C), ref: 0040AF95
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040AF9F
                                                  Strings
                                                  • Shell, xrefs: 0040AF8C
                                                  • explorer.exe, xrefs: 0040AF83
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0040AF5F
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateErrorLastValue
                                                  • String ID: Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$explorer.exe
                                                  • API String ID: 3352405036-2475075456
                                                  • Opcode ID: 4a339c0966e7460f913661a95f34c56b02cf38f78826dca6071bfce5f6b4afea
                                                  • Instruction ID: ab569f9c5afcd7f1904f5e8fc5dc3e64dc14e73d604c4cb70f3dbc3e93457674
                                                  • Opcode Fuzzy Hash: 4a339c0966e7460f913661a95f34c56b02cf38f78826dca6071bfce5f6b4afea
                                                  • Instruction Fuzzy Hash: 2AF012B9A40308BBEB20DF90DD4AF9E7778AB44B00F208175B601BA1D0D7B469459759
                                                  Function 0040B260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000,?,0040910E), ref: 0040B268
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 0040B294
                                                  • GetLastError.KERNEL32 ref: 0040B29A
                                                  • RegDeleteValueA.ADVAPI32(?,Windows Update), ref: 0040B2AD
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040B2B7
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 0040B28A
                                                  • Windows Update, xrefs: 0040B2A4
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateDeleteValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Windows Update
                                                  • API String ID: 2802250149-3708533339
                                                  • Opcode ID: c93f107bd7c0e873c13a8c55a2b4c923022c5596ed0b36ed7492075277360680
                                                  • Instruction ID: d1d706444faaf90f34cba6f7190ad5da575fb24db7febe883aa6cc3203be821d
                                                  • Opcode Fuzzy Hash: c93f107bd7c0e873c13a8c55a2b4c923022c5596ed0b36ed7492075277360680
                                                  • Instruction Fuzzy Hash: EAF01275A40208BBD7109B90DE4EFED7B78AB08B01F200175FB05F65E0DBB465449BAD
                                                  Function 0040B0C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 0040B0C8
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040B0F1
                                                  • GetLastError.KERNEL32 ref: 0040B0F7
                                                  • RegDeleteValueA.ADVAPI32(?,Windows Update), ref: 0040B10A
                                                  • RegCloseKey.ADVAPI32(?), ref: 0040B114
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0040B0E7
                                                  • Windows Update, xrefs: 0040B101
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateDeleteValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$Windows Update
                                                  • API String ID: 2802250149-3174618451
                                                  • Opcode ID: 1306a297693abccd6b6d508cb81b1f0be86aae95507dddc707f533d4766df953
                                                  • Instruction ID: 44ee419511f9df7fb5ce0be2d39f7458498e87f28b0ff4de1c9297cd38b03429
                                                  • Opcode Fuzzy Hash: 1306a297693abccd6b6d508cb81b1f0be86aae95507dddc707f533d4766df953
                                                  • Instruction Fuzzy Hash: 18F01275A40208BBD710AB90DE4EFDA7B7CAB48B02F104175FB05B61E1D7B465448BA9
                                                  Function 00408180 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 00408199
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 004081AE
                                                  • wsprintfA.USER32 ref: 004081D1
                                                  Strings
                                                  • %s\Documents and Settings\All users\Start Menu\Programs\Startup, xrefs: 004081E3
                                                  • %s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup, xrefs: 004081C8
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: FolderPathSpecial$wsprintf
                                                  • String ID: %s\Documents and Settings\All users\Start Menu\Programs\Startup$%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
                                                  • API String ID: 1457244361-2502705976
                                                  • Opcode ID: b84c13eb551ded04f8b94a5439c3a4154b4c43e996b2072df2ad5dbc9a60dc84
                                                  • Instruction ID: 9ec3aa8984b5d32d633e1ca4d706b4895fa7004f3646713d6b0b81d45db71480
                                                  • Opcode Fuzzy Hash: b84c13eb551ded04f8b94a5439c3a4154b4c43e996b2072df2ad5dbc9a60dc84
                                                  • Instruction Fuzzy Hash: 37018130544308ABEB14CF54DD4EFEA3334AB04705F0042A9FA897E1D0DBF86995CB5A
                                                  Function 004036A0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 24synchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 004036AB
                                                  • CreateMutexA.KERNEL32(00000000,00000000,protectaavprotector_c000900), ref: 004036BA
                                                  • GetLastError.KERNEL32 ref: 004036C0
                                                  • ExitProcess.KERNEL32 ref: 004036CF
                                                  • CreateThread.KERNEL32(00000000,00000000,00403670,00000000,00000000,00000000), ref: 004036E4
                                                  Strings
                                                  • protectaavprotector_c000900, xrefs: 004036B1
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorLast$ExitMutexProcessThread
                                                  • String ID: protectaavprotector_c000900
                                                  • API String ID: 3981327136-4054897143
                                                  • Opcode ID: 4b2ebb6208a28bc1c8aa86ce575914704cb118a4d7f15fc87449489f26e48a74
                                                  • Instruction ID: 498ebe70af892d4eb0581f474d82f8aca618047115a6843eefceb77723152662
                                                  • Opcode Fuzzy Hash: 4b2ebb6208a28bc1c8aa86ce575914704cb118a4d7f15fc87449489f26e48a74
                                                  • Instruction Fuzzy Hash: EAE09230788304B7F2642BA0AE0FF283A18A709F42F600521FB1EBC9E49AF52410469E
                                                  Function 00403CD0 Relevance: 9.1, APIs: 6, Instructions: 88sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00403CEA
                                                  • Process32First.KERNEL32(?,00000128), ref: 00403D23
                                                  • lstrlenA.KERNEL32(?,00000008,?,00000128,?,00000002,00000000), ref: 00403D49
                                                  • Process32Next.KERNEL32(?,00000128), ref: 00403E1D
                                                  • CloseHandle.KERNEL32(?,?,00000128,?,?,00000128,?,00000002,00000000), ref: 00403E31
                                                  • Sleep.KERNEL32(00000064,?,?,00000128,?,00000002,00000000), ref: 00403E39
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32lstrlen
                                                  • String ID:
                                                  • API String ID: 1833734960-0
                                                  • Opcode ID: c32fcd8a7d835edb17bcef723e8d818d64a021f781ab09c604a29216f0a36e27
                                                  • Instruction ID: f356de2e87635b33c117538daf96917de365fc02c9ef98c92402fd66c55639e4
                                                  • Opcode Fuzzy Hash: c32fcd8a7d835edb17bcef723e8d818d64a021f781ab09c604a29216f0a36e27
                                                  • Instruction Fuzzy Hash: A5317070A00218EBDB20EF54ED95BD977B9EF48305F0041A9E605A72D0D7B96F91CF98
                                                  Function 0040A0C0 Relevance: 9.1, APIs: 6, Instructions: 55stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A0ED
                                                  • Process32First.KERNEL32(?,00000128), ref: 0040A106
                                                  • lstrcmpiA.KERNEL32(?,004098DC), ref: 0040A116
                                                  • lstrcmpiA.KERNEL32(?,004098DC), ref: 0040A13E
                                                  • Process32Next.KERNEL32(?,00000128), ref: 0040A165
                                                  • CloseHandle.KERNEL32(?,?,00000128), ref: 0040A175
                                                    • Part of subcall function 0040A090: OpenProcess.KERNEL32(00000001,00000000,00404F80,?,?,00404F80,?), ref: 0040A09C
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process32lstrcmpi$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3775481326-0
                                                  • Opcode ID: d895280e1ef32895b18733f03a5cd11b43cb294601d37da3233fafccbb98bfdf
                                                  • Instruction ID: 2e728c38c5c0439e5a25d9e30eb9ec661725443021a4b8969c24379083482dea
                                                  • Opcode Fuzzy Hash: d895280e1ef32895b18733f03a5cd11b43cb294601d37da3233fafccbb98bfdf
                                                  • Instruction Fuzzy Hash: AC1158B590021897D720EF71DC45FDB73789B5C704F0041A9F749AA281EA38DAA48FD9
                                                  Function 00404EF0 Relevance: 9.1, APIs: 6, Instructions: 54stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00404F1D
                                                  • Process32First.KERNEL32(?,00000128), ref: 00404F36
                                                  • lstrcmpiA.KERNEL32(?,004079F8), ref: 00404F46
                                                  • lstrcmpiA.KERNEL32(?,004079F8), ref: 00404F6A
                                                  • Process32Next.KERNEL32(?,00000128), ref: 00404F91
                                                  • CloseHandle.KERNEL32(?), ref: 00404FA1
                                                    • Part of subcall function 0040A090: OpenProcess.KERNEL32(00000001,00000000,00404F80,?,?,00404F80,?), ref: 0040A09C
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Process32lstrcmpi$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3775481326-0
                                                  • Opcode ID: c6f90df989873885ce5a86ee483725d119dfcf982427ab1159b95c136967254c
                                                  • Instruction ID: a844b20499ac21575b2fa690f84672aa011dbfee0fe4a4088c16ad943d66f8eb
                                                  • Opcode Fuzzy Hash: c6f90df989873885ce5a86ee483725d119dfcf982427ab1159b95c136967254c
                                                  • Instruction Fuzzy Hash: C61154B59002189BD720EB71DC45FDA7379AB5C704F0041A9F749A6281EA38DAA48FD9
                                                  Function 00409EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 00409F13
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 00409F38
                                                  • lstrlenA.KERNEL32(00000000), ref: 00409F54
                                                  • CreateProcessA.KERNEL32(?,004098A9,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00409FCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CreateProcess
                                                  • String ID: D
                                                  • API String ID: 3224327505-2746444292
                                                  • Opcode ID: 739eb3d91572515ae5d6e30cec6af84720814e78013defd522873a2fdaec88f2
                                                  • Instruction ID: 24fcee1d60ba3195e1318300dee59b05356e13fea0ad1bd1bf279c17c81c99d9
                                                  • Opcode Fuzzy Hash: 739eb3d91572515ae5d6e30cec6af84720814e78013defd522873a2fdaec88f2
                                                  • Instruction Fuzzy Hash: 512154F5900218ABD714DF90DC8AFDA7738AB5C704F0045A9F708AB1C1E6B55A84CF95
                                                  Function 0040AED0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B3B0: RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000001,00000000,00409377), ref: 0040B3D6
                                                    • Part of subcall function 0040B3B0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040B3FF
                                                    • Part of subcall function 0040B3B0: RegCloseKey.ADVAPI32(00000000), ref: 0040B422
                                                    • Part of subcall function 0040B2D0: RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040B300
                                                    • Part of subcall function 0040B2D0: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 0040B322
                                                    • Part of subcall function 0040B2D0: RegCloseKey.ADVAPI32(00000000), ref: 0040B32C
                                                    • Part of subcall function 0040A980: GetCurrentProcess.KERNEL32 ref: 0040A98D
                                                    • Part of subcall function 0040A980: OpenProcessToken.ADVAPI32(?,00000028,00000000), ref: 0040A9A0
                                                    • Part of subcall function 0040A980: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 0040A9B0
                                                    • Part of subcall function 0040A980: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 0040A9D4
                                                  • InitiateSystemShutdownExA.ADVAPI32(00000000,Windows critical error, require reboot,00000000,00000001,00000001,00000000), ref: 0040AF2E
                                                  Strings
                                                  • itergtdw11qyucgHGGDsggd, xrefs: 0040AF05
                                                  • SeShutdownPrivilege, xrefs: 0040AF12
                                                  • Windows critical error, require reboot, xrefs: 0040AF27
                                                  • itergtdw11qyucgHGGDsggd, xrefs: 0040AEE1
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseOpenProcessToken$AdjustCreateCurrentInitiateLookupPrivilegePrivilegesQueryShutdownSystem
                                                  • String ID: SeShutdownPrivilege$Windows critical error, require reboot$itergtdw11qyucgHGGDsggd$itergtdw11qyucgHGGDsggd
                                                  • API String ID: 159947062-3875966801
                                                  • Opcode ID: 31fb5fe9b79f16a46eb1e7f7ca69f2ae70511455572cb7276e3134d85380b8f3
                                                  • Instruction ID: 1f93eae983f59e2a7888819ec449e4fe1bff9788df37bce816989e35b0948e9f
                                                  • Opcode Fuzzy Hash: 31fb5fe9b79f16a46eb1e7f7ca69f2ae70511455572cb7276e3134d85380b8f3
                                                  • Instruction Fuzzy Hash: ECF054B5A81308B6EB10E6809E07F5D7264D740B18F2040AAFB04371C2E6F52B14969F
                                                  Function 004083C0 Relevance: 7.6, APIs: 5, Instructions: 99stringregistryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00408E00: RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?,?,000F003F), ref: 00408E1B
                                                    • Part of subcall function 00408CF0: GetProcessHeap.KERNEL32(?,?,004083FC,?,?,000F003F), ref: 00408D0B
                                                    • Part of subcall function 00408E80: RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00408ED5
                                                  • lstrcpyA.KERNEL32(?,?,Function_00008200,?,?,?,000F003F), ref: 00408426
                                                  • PathRemoveFileSpecA.SHLWAPI(?), ref: 00408433
                                                  • PathFindFileNameA.SHLWAPI(?,00000000,?,000F003F), ref: 0040845A
                                                    • Part of subcall function 00408E40: SHDeleteKeyA.SHLWAPI(?,00408475,00408475,?), ref: 00408E53
                                                    • Part of subcall function 00408FE0: RegFlushKey.ADVAPI32(?,0040847D,?), ref: 00408FEF
                                                    • Part of subcall function 00409010: RegCloseKey.ADVAPI32(?,?,000F003F), ref: 00409040
                                                    • Part of subcall function 00408DB0: RegCreateKeyExA.ADVAPI32(000F003F,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,000F003F), ref: 00408DDC
                                                  • lstrlenA.KERNEL32(-00000105,?,?,000F003F,?), ref: 004084B7
                                                  • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,00000001,-00000105,-00000001), ref: 004084DC
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: FilePath$CloseCreateDeleteFindFlushHeapInfoNameOpenProcessQueryRemoveSpecValuelstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 3965768071-0
                                                  • Opcode ID: 5b3c75b73becf8cf50e07d8101de96b4c55ce00ad25dabc9ec38daeb9ce7a95c
                                                  • Instruction ID: e86142db8d0e4fbd49993cacd0754146941bd2dd728f9558f63f63c54e5f364a
                                                  • Opcode Fuzzy Hash: 5b3c75b73becf8cf50e07d8101de96b4c55ce00ad25dabc9ec38daeb9ce7a95c
                                                  • Instruction Fuzzy Hash: 64410B75900108EBCB08EB94CA95EEEB779EF58304F0081AEA546B7292DF346F85DF54
                                                  Function 00408C10 Relevance: 7.6, APIs: 6, Instructions: 69memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapAlloc.KERNEL32(?,00000008,00000314,?,?,004082D6,?,?), ref: 00408C2D
                                                  • lstrcpyA.KERNEL32(00000000,?,?,004082D6,?,?), ref: 00408C44
                                                  • lstrcpyA.KERNEL32(-00000105,004082D6,?,004082D6,?,?), ref: 00408C5B
                                                  • HeapAlloc.KERNEL32(?,00000008,00000314,?,?,004082D6,?,?), ref: 00408C8C
                                                  • lstrcpyA.KERNEL32(?,?,?,004082D6,?,?), ref: 00408CBB
                                                  • lstrcpyA.KERNEL32(?,004082D6,?,004082D6,?,?), ref: 00408CD1
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocHeap
                                                  • String ID:
                                                  • API String ID: 333684582-0
                                                  • Opcode ID: e909571d2d9293442b2d5a29b3cc6868272174d963dd44805ac6ee242f4acc8f
                                                  • Instruction ID: 401976806756014f12b020392fc0d7dca79d5942278f132aec1134f4bb7db1fa
                                                  • Opcode Fuzzy Hash: e909571d2d9293442b2d5a29b3cc6868272174d963dd44805ac6ee242f4acc8f
                                                  • Instruction Fuzzy Hash: 74318578600208EFC708CF94C694E9AB7F5FB8C304F2486A8E949AB355C775EE41DB94
                                                  Function 00403FA0 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 0040401F
                                                  • UnregisterDeviceNotification.USER32(?), ref: 0040402F
                                                  • PostQuitMessage.USER32(00000000), ref: 00404037
                                                  • DefWindowProcA.USER32(?,?,?,?), ref: 00404051
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyDeviceMessageNotificationPostProcQuitUnregister
                                                  • String ID:
                                                  • API String ID: 1588911345-0
                                                  • Opcode ID: fbe78d3beceb5008e2a253105aff96865d51152027dffd9ccc0346b776ac46d0
                                                  • Instruction ID: 1ea58cf327e5b237283fea80739e8780ccf24d01394f12fc76a37845b9bd52b4
                                                  • Opcode Fuzzy Hash: fbe78d3beceb5008e2a253105aff96865d51152027dffd9ccc0346b776ac46d0
                                                  • Instruction Fuzzy Hash: 862193B4510109EFC714DF65DA0899E77B4EB88301F10847BEB16B72A0D7399A40EB5D
                                                  Function 0040B3B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000001,00000000,00409377), ref: 0040B3D6
                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040B3FF
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040B422
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 0040B3CC
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 3677997916-3596387974
                                                  • Opcode ID: c55b0aa69c57449d46a9137cdf7f3d8890cad0ce48002bed1047dee44cb6e7fb
                                                  • Instruction ID: d9288041fceb18702543d415428207523954688618ab9de98004a1dd84f34b55
                                                  • Opcode Fuzzy Hash: c55b0aa69c57449d46a9137cdf7f3d8890cad0ce48002bed1047dee44cb6e7fb
                                                  • Instruction Fuzzy Hash: A5011E75900208FBDB10DFD4C949BEEBBB8EB44304F1084A9EA10B7280C7785A84CF99
                                                  Function 0040B2D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040B300
                                                  • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 0040B322
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040B32C
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 0040B2F6
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 1818849710-3596387974
                                                  • Opcode ID: c1db86aeaa9bc3d6d0a3cbee1669f2d8f229b39278d0684db0f666d539538422
                                                  • Instruction ID: bf6f028f0d6a214514c0f3d5c8291956a93232b9ecb04f3f9044cf6f18403c31
                                                  • Opcode Fuzzy Hash: c1db86aeaa9bc3d6d0a3cbee1669f2d8f229b39278d0684db0f666d539538422
                                                  • Instruction Fuzzy Hash: D6F04F75640208BBDB10CF84CD4AFDE7B78EB48700F208158FA04B72D0D7B4AA84CBA4
                                                  Function 0040AFB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 0040AFC4
                                                  • FindWindowExA.USER32(00000000,00000000,Progman,00000000), ref: 0040AFE0
                                                  • Sleep.KERNEL32(000001F4), ref: 0040AFF1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: Window$DesktopFindSleep
                                                  • String ID: Progman
                                                  • API String ID: 2752603811-3542350831
                                                  • Opcode ID: 3570605eb730e875dac1496a45ca42846dd973027ee8ac7e3f21474c56d4a886
                                                  • Instruction ID: bb20454fd08d7ffb8f62dbcb8bcc6c87155644ad835ab1ca95164d936a6a9954
                                                  • Opcode Fuzzy Hash: 3570605eb730e875dac1496a45ca42846dd973027ee8ac7e3f21474c56d4a886
                                                  • Instruction Fuzzy Hash: DAE09BB0644306EBE714DBD09E09B5A76789B04702F1001BBB505B62D0C7B98950D6AB
                                                  Function 0040B4A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000002,00000000), ref: 0040B4BD
                                                  • RegDeleteValueA.ADVAPI32(00000000,?), ref: 0040B4D1
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040B4DB
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 0040B4B3
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteOpenValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 849931509-3596387974
                                                  • Opcode ID: 04b3c8c47aca6b56176863ea9cc0148f9390a58e8c4ddf9b0a9dee028ece2051
                                                  • Instruction ID: 2262cf430029147d9792b17ac1ff065f30fd0f2517890e81b4eb7fbbc11e5b53
                                                  • Opcode Fuzzy Hash: 04b3c8c47aca6b56176863ea9cc0148f9390a58e8c4ddf9b0a9dee028ece2051
                                                  • Instruction Fuzzy Hash: CCE0E575940208FBDB10DB94DE49FDE77B8EB48701F6041A8BA05B26A0C7746E40DBA9
                                                  Function 00409CE0 Relevance: 6.2, APIs: 4, Instructions: 155stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00409B36), ref: 00409D09
                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,00409B36,?,?,?,?,?,00409B36), ref: 00409E9F
                                                  • StrChrA.SHLWAPI(?,00000025,?,?,?,?,?,00409B36), ref: 00409EB4
                                                  • lstrcatA.KERNEL32(00409B36,?,?,?,?,?,?,00409B36), ref: 00409ED8
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: FolderPathlstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 4208654703-0
                                                  • Opcode ID: f6c223848e6671b24b49f3a8d63ab8c43ea58eb1b82999d266ae0030a9fe6987
                                                  • Instruction ID: 0d5e6f9077b0afede1d4af0843d553277996c5903be3423f4de9a10bc7ef8103
                                                  • Opcode Fuzzy Hash: f6c223848e6671b24b49f3a8d63ab8c43ea58eb1b82999d266ae0030a9fe6987
                                                  • Instruction Fuzzy Hash: 87713374D0420AEFCB18CF94C5986AEBBB1FF45305F2481AAE8116B391D3399E81DF95
                                                  Function 00404CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00404D0F
                                                  • GetTickCount.KERNEL32 ref: 00404D6D
                                                  Strings
                                                  • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890123456789, xrefs: 00404D1A
                                                  Memory Dump Source
                                                  • Source File: 0000000F.00000002.1953278670.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 0000000F.00000002.1953278670.0000000000411000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953321360.0000000000413000.00000004.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 0000000F.00000002.1953343357.000000000042B000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_15_2_400000_LisectAVT_2403002C_106.jbxd
                                                  Similarity
                                                  • API ID: CountInformationTickVolume
                                                  • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890123456789
                                                  • API String ID: 1021880723-3397549705
                                                  • Opcode ID: bf9da272677f73f1d5ba4ce19ab5c8d302b4da64ad593461156b88b62c5bd609
                                                  • Instruction ID: 0167695973b4967b04beae89abb8ec8d007d2c4886d1123cd930050e31290b6b
                                                  • Opcode Fuzzy Hash: bf9da272677f73f1d5ba4ce19ab5c8d302b4da64ad593461156b88b62c5bd609
                                                  • Instruction Fuzzy Hash: B5112970E0428857EB00DBA49D01B9E7B699B41304F04403AFE05BF2C1C7BC6515C76E

                                                  Execution Graph

                                                  Execution Coverage:8.7%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:2.2%
                                                  Total number of Nodes:579
                                                  Total number of Limit Nodes:18
                                                  execution_graph 8034 415040 8035 415060 8034->8035 8036 41504c 8034->8036 8036->8035 8038 414e90 8036->8038 8039 415031 8038->8039 8045 414ea2 8038->8045 8039->8035 8042 414fa8 8081 416080 8042->8081 8045->8039 8045->8042 8047 413750 8045->8047 8051 413440 8045->8051 8070 412f90 8045->8070 8048 413760 LdrGetProcedureAddress 8047->8048 8049 413784 LdrGetProcedureAddress 8047->8049 8048->8045 8049->8045 8052 41359f 8051->8052 8058 413451 8051->8058 8052->8045 8053 41348c printf printf 8055 4134c2 8053->8055 8056 4134c7 printf 8053->8056 8055->8056 8085 4135d0 8056->8085 8057 41355a 8060 413593 8057->8060 8093 413320 8057->8093 8058->8052 8058->8053 8058->8057 8060->8045 8062 4134f1 NtAllocateVirtualMemory 8062->8052 8065 413500 8062->8065 8065->8052 8086 413100 8065->8086 8067 41354a 8068 413440 6 API calls 8067->8068 8069 413551 8068->8069 8069->8045 8071 412fa2 8070->8071 8072 413074 8070->8072 8071->8072 8073 412fc2 ReadProcessMemory 8071->8073 8072->8045 8074 412fe0 8073->8074 8080 413059 8073->8080 8075 413004 WriteProcessMemory 8074->8075 8074->8080 8076 413022 8075->8076 8075->8080 8077 413028 WriteProcessMemory 8076->8077 8076->8080 8078 41303c 8077->8078 8077->8080 8079 413044 WriteProcessMemory 8078->8079 8078->8080 8079->8080 8080->8045 8082 41608e 8081->8082 8084 415022 8081->8084 8083 413440 10 API calls 8082->8083 8082->8084 8083->8082 8084->8035 8085->8062 8087 413161 8086->8087 8088 41310c 8086->8088 8087->8067 8088->8087 8089 413119 EnterCriticalSection 8088->8089 8090 413123 8088->8090 8089->8090 8091 413158 8090->8091 8092 41314e LeaveCriticalSection 8090->8092 8091->8067 8092->8091 8094 413332 8093->8094 8095 413385 8093->8095 8094->8095 8096 413346 8094->8096 8097 41333c EnterCriticalSection 8094->8097 8099 4131d0 8095->8099 8096->8095 8098 41337b LeaveCriticalSection 8096->8098 8097->8096 8098->8095 8100 413230 8099->8100 8101 4131dc 8099->8101 8100->8060 8101->8100 8102 4131f3 8101->8102 8103 4131e9 EnterCriticalSection 8101->8103 8104 413227 8102->8104 8105 41321d LeaveCriticalSection 8102->8105 8103->8102 8104->8060 8105->8104 8299 1c7810 8300 1c782b 8299->8300 8301 1c7830 GetFileAttributesExA 8299->8301 8324 1c7d90 8301->8324 8303 1c784e 8304 1c7877 GetEnvironmentVariableA lstrcatA CreateDirectoryA lstrcatA 8303->8304 8328 1c3e50 8304->8328 8307 1c792f RegSetValueExA RegCloseKey 8308 1c79ab SetLastError CreateMutexA GetLastError 8307->8308 8309 1c79cf ExitProcess 8308->8309 8310 1c79d7 CreateThread 8308->8310 8330 1c4ef0 8310->8330 8385 1c5ed0 8310->8385 8313 1c79f8 8314 1c4ef0 8 API calls 8313->8314 8315 1c7a05 8314->8315 8316 1c4ef0 8 API calls 8315->8316 8317 1c7a12 CreateThread 8316->8317 8340 1c4a60 8317->8340 8375 1c5730 8317->8375 8319 1c7a2f 8320 1c7a5b SHGetFolderPathA lstrcatA 8319->8320 8321 1c7a96 8320->8321 8322 1c7aa9 CreateProcessA 8321->8322 8343 1c5ad0 8322->8343 8325 1c7d9b 8324->8325 8326 1c7da8 LoadLibraryW 8325->8326 8327 1c7dc4 8325->8327 8326->8325 8327->8303 8329 1c3e62 SetFileAttributesA DeleteFileA CopyFileA RegOpenKeyA 8328->8329 8329->8307 8329->8308 8358 1c4c90 8330->8358 8333 1c4f5f lstrcmpiA 8336 1c4f5c 8333->8336 8337 1c4f83 Process32Next 8333->8337 8334 1c4f50 8360 1ca090 OpenProcess 8334->8360 8336->8333 8336->8337 8338 1ca090 2 API calls 8336->8338 8337->8333 8339 1c4f9a FindCloseChangeNotification 8337->8339 8338->8336 8339->8313 8341 1c4a74 GetCurrentProcess 8340->8341 8342 1c4a85 8340->8342 8341->8342 8342->8319 8363 1c5aa0 8343->8363 8345 1c5ade 8366 1c58c0 IsBadReadPtr 8345->8366 8348 1c5b00 8348->8300 8349 1c5bd4 CreateRemoteThread 8349->8348 8351 1c5c02 8349->8351 8350 1c5b26 8353 1c5b39 GetModuleFileNameA VirtualAllocEx 8350->8353 8351->8348 8352 1c5c08 WaitForSingleObject 8351->8352 8352->8348 8354 1c5b77 WriteProcessMemory 8353->8354 8355 1c5bd2 8353->8355 8354->8355 8356 1c5b9f CreateRemoteThread 8354->8356 8355->8351 8356->8355 8357 1c5bce 8356->8357 8357->8348 8359 1c4ca5 CreateToolhelp32Snapshot Process32First lstrcmpiA 8358->8359 8359->8333 8359->8334 8361 1ca0ad TerminateProcess 8360->8361 8362 1ca0ab 8360->8362 8361->8362 8362->8336 8364 1c4c90 8363->8364 8365 1c5ab3 VirtualQuery 8364->8365 8365->8345 8367 1c58fb VirtualAllocEx 8366->8367 8368 1c58f4 8366->8368 8367->8368 8369 1c591f VirtualAlloc 8367->8369 8368->8348 8368->8349 8368->8350 8373 1c5946 8369->8373 8370 1c5a6b 8370->8368 8371 1c5a71 VirtualFreeEx 8370->8371 8371->8368 8372 1c5a58 VirtualFree 8372->8370 8373->8370 8373->8372 8374 1c5a37 WriteProcessMemory 8373->8374 8374->8372 8376 1c5743 8375->8376 8377 1c5771 10 API calls 8376->8377 8378 1c582d 8377->8378 8493 1c4370 8378->8493 8381 1c5850 8382 1c5852 CreateWindowExA 8382->8381 8383 1c5883 GetMessageA 8382->8383 8383->8381 8384 1c5899 TranslateMessage DispatchMessageA 8383->8384 8384->8383 8547 1c8bf0 8385->8547 8387 1c5ee9 8388 1c5efc SHGetFolderPathA lstrcatA SetCurrentDirectoryA 8387->8388 8554 1c5c20 FindFirstFileA 8388->8554 8392 1c5f47 8393 1c5f5a GetTempPathA SetCurrentDirectoryA 8392->8393 8394 1c5c20 15 API calls 8393->8394 8395 1c5f88 8394->8395 8396 1c5d10 5 API calls 8395->8396 8397 1c5f90 8396->8397 8567 1c5e90 GetSystemWindowsDirectoryA 8397->8567 8400 1c5c20 15 API calls 8401 1c6048 8400->8401 8402 1c5d10 5 API calls 8401->8402 8403 1c6050 SetCurrentDirectoryA StrRChrA lstrlenA 8402->8403 8569 1ca9e0 GetTickCount 8403->8569 8405 1c609d 8 API calls 8406 1c5c20 15 API calls 8405->8406 8407 1c6149 8406->8407 8408 1c5d10 5 API calls 8407->8408 8409 1c6151 SetCurrentDirectoryA StrRChrA lstrlenA 8408->8409 8410 1ca9e0 GetTickCount 8409->8410 8411 1c619e MoveFileA GetLastError wsprintfA 8410->8411 8412 1c4c90 8411->8412 8413 1c61f0 SHGetFolderPathA lstrcatA SetCurrentDirectoryA 8412->8413 8414 1c5c20 15 API calls 8413->8414 8415 1c6233 8414->8415 8416 1c5d10 5 API calls 8415->8416 8417 1c623b 8416->8417 8418 1c624e GetTempPathA SetCurrentDirectoryA 8417->8418 8419 1c5c20 15 API calls 8418->8419 8420 1c627c 8419->8420 8421 1c5d10 5 API calls 8420->8421 8422 1c6284 8421->8422 8423 1c6297 SHGetFolderPathA SetCurrentDirectoryA 8422->8423 8424 1c5c20 15 API calls 8423->8424 8425 1c62c8 8424->8425 8426 1c5d10 5 API calls 8425->8426 8427 1c62d0 8426->8427 8428 1c62e3 GetTempPathA SetCurrentDirectoryA 8427->8428 8429 1c5c20 15 API calls 8428->8429 8430 1c6311 8429->8430 8431 1c5d10 5 API calls 8430->8431 8432 1c6319 8431->8432 8433 1c632c GetTempPathA SetCurrentDirectoryA 8432->8433 8434 1c5c20 15 API calls 8433->8434 8435 1c635a 8434->8435 8436 1c5d10 5 API calls 8435->8436 8437 1c6362 8436->8437 8438 1c6375 GetTempPathA lstrcatA SetCurrentDirectoryA 8437->8438 8439 1c5c20 15 API calls 8438->8439 8440 1c63b5 8439->8440 8441 1c5d10 5 API calls 8440->8441 8442 1c63bd 8441->8442 8443 1c63d0 GetEnvironmentVariableA SetCurrentDirectoryA 8442->8443 8444 1c5c20 15 API calls 8443->8444 8445 1c6403 8444->8445 8446 1c5d10 5 API calls 8445->8446 8447 1c640b 8446->8447 8448 1c641e GetTempPathA SetCurrentDirectoryA 8447->8448 8449 1c5c20 15 API calls 8448->8449 8450 1c644c 8449->8450 8451 1c5d10 5 API calls 8450->8451 8452 1c6454 8451->8452 8453 1c6467 SHGetFolderPathA SetCurrentDirectoryA 8452->8453 8454 1c5c20 15 API calls 8453->8454 8455 1c6498 8454->8455 8456 1c5d10 5 API calls 8455->8456 8457 1c64a0 8456->8457 8458 1c64b3 GetTempPathA SetCurrentDirectoryA 8457->8458 8459 1c5c20 15 API calls 8458->8459 8460 1c64e1 8459->8460 8461 1c5d10 5 API calls 8460->8461 8462 1c64e9 8461->8462 8463 1c64fc SHGetFolderPathA SetCurrentDirectoryA 8462->8463 8464 1c5c20 15 API calls 8463->8464 8465 1c652d 8464->8465 8466 1c5d10 5 API calls 8465->8466 8467 1c6535 8466->8467 8468 1c6548 GetTempPathA SetCurrentDirectoryA 8467->8468 8469 1c5c20 15 API calls 8468->8469 8470 1c6576 8469->8470 8471 1c5d10 5 API calls 8470->8471 8472 1c657e 8471->8472 8473 1c6591 SHGetFolderPathA SetCurrentDirectoryA 8472->8473 8474 1c5c20 15 API calls 8473->8474 8475 1c65c2 8474->8475 8476 1c5d10 5 API calls 8475->8476 8477 1c65ca 8476->8477 8478 1c65dd GetTempPathA SetCurrentDirectoryA 8477->8478 8479 1c5c20 15 API calls 8478->8479 8480 1c660b 8479->8480 8481 1c5d10 5 API calls 8480->8481 8482 1c6613 8481->8482 8483 1c6626 SHGetFolderPathA SetCurrentDirectoryA 8482->8483 8484 1c5c20 15 API calls 8483->8484 8485 1c6657 8484->8485 8486 1c5d10 5 API calls 8485->8486 8487 1c665f 8486->8487 8488 1c6672 GetTempPathA SetCurrentDirectoryA 8487->8488 8489 1c5c20 15 API calls 8488->8489 8490 1c66a0 8489->8490 8491 1c5d10 5 API calls 8490->8491 8492 1c66a8 8491->8492 8494 1c43b5 8493->8494 8495 1c43cb SHGetFolderPathA wsprintfA 8494->8495 8496 1c441a lstrlenA 8495->8496 8497 1c4a51 RegisterClassA 8496->8497 8498 1c4433 GetDriveTypeA 8496->8498 8497->8381 8497->8382 8499 1c4a4c 8498->8499 8500 1c449c 8498->8500 8499->8499 8501 1c44c2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 8500->8501 8502 1c452e CloseHandle DeleteFileA 8501->8502 8503 1c454a 8501->8503 8502->8503 8504 1c4562 GetVolumeInformationA 8503->8504 8505 1c4591 8504->8505 8529 1c40d0 8505->8529 8508 1c49ad 6 API calls 8508->8499 8509 1c45fa lstrcmpA 8510 1c4991 FindNextFileA 8509->8510 8511 1c4616 8509->8511 8510->8508 8510->8509 8512 1c4679 lstrcpyA 8511->8512 8513 1c46ab lstrlenA 8512->8513 8515 1c469c 8513->8515 8514 1c47a5 wsprintfA wsprintfA StrStrA 8516 1c482a StrStrA 8514->8516 8517 1c4801 SetFileAttributesA DeleteFileA 8514->8517 8515->8513 8515->8514 8522 1c4736 wsprintfA wsprintfA MoveFileA 8515->8522 8518 1c4898 GetFileAttributesA 8516->8518 8519 1c4840 StrStrA 8516->8519 8517->8510 8520 1c48cc SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 8518->8520 8521 1c48b6 8518->8521 8519->8518 8523 1c4856 StrStrA 8519->8523 8520->8521 8521->8510 8521->8520 8526 1c4917 lstrlenA lstrlenA MultiByteToWideChar 8521->8526 8528 1c4973 SetFileAttributesA SetFileAttributesA 8521->8528 8522->8515 8523->8518 8524 1c486c StrStrA 8523->8524 8524->8518 8525 1c4882 StrStrA 8524->8525 8525->8518 8525->8526 8533 1c4140 GetVolumeInformationA 8526->8533 8528->8510 8530 1c40f1 8529->8530 8531 1c412b lstrcatA wsprintfA FindFirstFileA 8530->8531 8532 1c4107 lstrlenA 8530->8532 8531->8508 8531->8509 8532->8530 8534 1c417f 8533->8534 8535 1c40d0 lstrlenA 8534->8535 8536 1c418d LoadLibraryA GetProcAddress 8535->8536 8537 1c41b1 8536->8537 8538 1c41c8 CoCreateInstance 8537->8538 8539 1c41c0 8537->8539 8538->8539 8540 1c41f1 8538->8540 8539->8521 8541 1c420f wsprintfA 8540->8541 8542 1c4242 wsprintfA 8540->8542 8543 1c4273 SetFileAttributesW DeleteFileW 8541->8543 8542->8543 8545 1c4322 CreateFileW CoUninitialize 8543->8545 8545->8539 8571 1c8520 SHGetSpecialFolderPathA 8547->8571 8549 1c8bf8 8580 1c88a0 SHGetSpecialFolderPathA wsprintfA 8549->8580 8553 1c8c02 8553->8387 8555 1c5c5b 8554->8555 8556 1c5c60 8554->8556 8563 1c5d10 FindFirstFileA 8555->8563 8557 1c5cde FindNextFileA 8556->8557 8558 1c5c6b SetFileAttributesA 8556->8558 8557->8556 8560 1c5cfa FindClose 8557->8560 8559 1c4ef0 8 API calls 8558->8559 8561 1c5c89 8559->8561 8560->8555 8562 1c5c9f lstrcpyA lstrcatA MoveFileExA 8561->8562 8562->8557 8564 1c5d3c SetFileAttributesA DeleteFileA FindNextFileA 8563->8564 8565 1c5d3a 8563->8565 8564->8564 8566 1c5d73 FindClose 8564->8566 8565->8392 8566->8565 8568 1c5eab wsprintfA lstrcatA SetFileAttributesA lstrcpyA SetCurrentDirectoryA 8567->8568 8568->8400 8570 1ca9f9 8569->8570 8570->8405 8572 1c855f 8571->8572 8572->8572 8573 1c873e CreateThread CreateThread CreateThread CreateThread 8572->8573 8596 1c7fe0 GetVersionExA 8573->8596 8604 1c83c0 8573->8604 8578 1c8180 4 API calls 8579 1c884b CreateThread CreateThread WaitForMultipleObjects 8578->8579 8579->8549 8633 1c8020 wsprintfA FindFirstFileA 8579->8633 8581 1ca9e0 GetTickCount 8580->8581 8582 1c88ed wsprintfA SetFileAttributesA MoveFileA 8581->8582 8583 1c8949 GetLastError 8582->8583 8584 1c89cb 8582->8584 8583->8584 8585 1c8954 8583->8585 8587 1c89d0 6 API calls 8584->8587 8586 1c8964 lstrlenA SHFileOperationA MoveFileA 8585->8586 8586->8584 8588 1c8bd9 FindClose 8587->8588 8590 1c8a6d 8587->8590 8588->8553 8589 1c8bbd FindNextFileA 8589->8588 8589->8590 8590->8589 8591 1c8abb CharLowerA 8590->8591 8592 1c8b36 8590->8592 8591->8590 8593 1ca9e0 GetTickCount 8592->8593 8594 1c8b44 wsprintfA wsprintfA MoveFileA 8593->8594 8594->8589 8595 1c8bad GetLastError 8594->8595 8595->8589 8595->8592 8597 1c8009 8596->8597 8598 1c8180 8597->8598 8599 1c818f SHGetSpecialFolderPathA 8598->8599 8600 1c81a1 SHGetSpecialFolderPathA 8598->8600 8601 1c81f5 8599->8601 8602 1c81dc wsprintfA 8600->8602 8603 1c81c1 wsprintfA 8600->8603 8601->8578 8602->8601 8603->8601 8605 1c83d7 8604->8605 8644 1c8e00 RegOpenKeyExA 8605->8644 8609 1c83fc 8647 1c8e80 RegQueryInfoKeyA 8609->8647 8614 1c8e00 RegOpenKeyExA 8615 1c8453 PathFindFileNameA 8614->8615 8656 1c8e40 SHDeleteKeyA 8615->8656 8620 1c9010 RegCloseKey 8621 1c8485 8620->8621 8660 1c8db0 RegCreateKeyExA 8621->8660 8623 1c84ae lstrlenA 8625 1c849f 8623->8625 8624 1c84f0 8662 1c8d20 8624->8662 8625->8623 8625->8624 8627 1c84db RegSetValueExA 8625->8627 8627->8625 8629 1c8fe0 RegFlushKey 8630 1c8503 8629->8630 8631 1c9010 RegCloseKey 8630->8631 8632 1c850b 8631->8632 8634 1c816d FindClose 8633->8634 8635 1c8069 8633->8635 8636 1c8079 CreateToolhelp32Snapshot 8635->8636 8637 1c8154 FindNextFileA 8635->8637 8638 1c809f Process32First 8636->8638 8639 1c8127 wsprintfA DeleteFileA 8636->8639 8637->8634 8637->8635 8640 1c811a FindCloseChangeNotification 8638->8640 8641 1c80b6 lstrcmpiA 8638->8641 8639->8637 8640->8639 8642 1c80ce OpenProcess TerminateProcess CloseHandle 8641->8642 8643 1c8103 Process32Next 8641->8643 8642->8640 8643->8640 8643->8641 8645 1c83f1 8644->8645 8646 1c8cf0 GetProcessHeap 8645->8646 8646->8609 8648 1c8410 8647->8648 8650 1c8ef1 8647->8650 8652 1c9010 8648->8652 8649 1c8f25 RegEnumValueA 8649->8648 8649->8650 8650->8648 8650->8649 8666 1c8200 8650->8666 8653 1c9026 8652->8653 8655 1c8418 lstrcpyA PathRemoveFileSpecA 8652->8655 8654 1c903a RegCloseKey 8653->8654 8653->8655 8654->8655 8655->8614 8657 1c8475 8656->8657 8658 1c8fe0 RegFlushKey 8657->8658 8659 1c847d 8658->8659 8659->8620 8661 1c8deb 8660->8661 8661->8625 8663 1c8d29 8662->8663 8664 1c84fb 8663->8664 8665 1c8d32 HeapFree 8663->8665 8664->8629 8665->8663 8667 1c8221 8666->8667 8667->8667 8668 1c829f 8667->8668 8669 1c826b StrCmpNIA 8667->8669 8671 1c82ad StrCmpNIA 8668->8671 8672 1c82e0 PathRemoveArgsA PathFindFileNameA CreateToolhelp32Snapshot 8668->8672 8669->8668 8670 1c8285 8669->8670 8683 1c8c10 8670->8683 8671->8672 8676 1c82c6 8671->8676 8673 1c83a8 8672->8673 8674 1c8320 Process32First 8672->8674 8673->8650 8677 1c839b FindCloseChangeNotification 8674->8677 8678 1c8337 lstrcmpiA 8674->8678 8680 1c8c10 6 API calls 8676->8680 8677->8673 8681 1c834f OpenProcess TerminateProcess CloseHandle 8678->8681 8682 1c8384 Process32Next 8678->8682 8679 1c8295 8679->8673 8680->8679 8681->8677 8682->8677 8682->8678 8684 1c8c7f HeapAlloc lstrcpyA lstrcpyA 8683->8684 8685 1c8c20 HeapAlloc lstrcpyA lstrcpyA 8683->8685 8686 1c8ce7 8684->8686 8685->8686 8686->8679 8106 415c50 8114 415a20 8106->8114 8108 415c67 8109 415c7f NtQueryInformationProcess 8108->8109 8110 415cd8 8109->8110 8111 415c8a 8109->8111 8131 4149f0 8111->8131 8113 415cc6 8115 415a2b 8114->8115 8123 415c46 8115->8123 8149 413a20 8115->8149 8117 415ae5 8159 414d00 8117->8159 8119 415aef LdrEnumerateLoadedModules 8186 413080 8119->8186 8122 415b31 8124 413080 9 API calls 8122->8124 8123->8108 8130 415b4f 8124->8130 8125 415a3c 8125->8117 8125->8123 8129 413750 2 API calls 8125->8129 8154 413920 8125->8154 8126 415bf4 CreateThread CloseHandle 8127 415c0c 8126->8127 8127->8123 8128 415c2e CreateThread CloseHandle 8127->8128 8128->8123 8129->8125 8130->8126 8130->8127 8132 414a00 8131->8132 8133 414acb 8131->8133 8132->8133 8134 414a0b WaitForSingleObject 8132->8134 8133->8113 8134->8133 8135 414a1e 8134->8135 8136 414560 8 API calls 8135->8136 8138 414a42 8136->8138 8137 414a79 8137->8113 8138->8137 8139 414aad ReleaseMutex 8138->8139 8291 4147c0 8138->8291 8142 414470 4 API calls 8139->8142 8144 414ac6 8142->8144 8143 414a6d 8145 414a80 8143->8145 8146 414a74 ReleaseMutex 8143->8146 8144->8113 8147 414470 4 API calls 8145->8147 8146->8137 8148 414a88 ReleaseMutex 8147->8148 8148->8139 8151 413a25 8149->8151 8150 413a2d 8150->8125 8151->8150 8194 4135b0 GetPEB 8151->8194 8153 413a44 8153->8125 8195 413670 8154->8195 8157 413974 LdrLoadDll 8157->8125 8158 41396c 8158->8125 8161 414d0e 8159->8161 8160 414d16 8160->8119 8161->8160 8162 413a20 GetPEB 8161->8162 8163 414d33 8162->8163 8164 414d37 8163->8164 8165 414d3d GetVersionExA 8163->8165 8164->8119 8165->8164 8166 414d56 8165->8166 8197 413f90 8166->8197 8168 414d5c 8207 413390 8168->8207 8170 414d7e 8216 414ae0 8170->8216 8172 414d9b 8240 413ac0 8172->8240 8174 414da6 strncpy 8244 4135d0 8174->8244 8176 414dd0 NtQueryInformationProcess 8177 414dee 8176->8177 8178 414ddc 8176->8178 8245 413890 8177->8245 8179 413440 10 API calls 8178->8179 8179->8177 8181 414e67 8182 413750 2 API calls 8181->8182 8183 414e6d 8182->8183 8253 414c20 8183->8253 8185 414e7e 8185->8119 8187 413890 3 API calls 8186->8187 8188 41308c 8187->8188 8189 4130bb 8188->8189 8190 413750 2 API calls 8188->8190 8189->8122 8191 41309a 8190->8191 8191->8189 8192 412f90 4 API calls 8191->8192 8193 4130b6 8192->8193 8193->8122 8194->8153 8196 41367c RtlAnsiStringToUnicodeString 8195->8196 8196->8157 8196->8158 8198 413f9f 8197->8198 8201 413fa6 8197->8201 8199 413890 3 API calls 8198->8199 8199->8201 8200 414018 8200->8168 8201->8200 8202 413890 3 API calls 8201->8202 8203 413fd1 8202->8203 8204 413750 2 API calls 8203->8204 8205 413fd7 8204->8205 8205->8200 8206 414003 GetNativeSystemInfo 8205->8206 8206->8200 8208 41339b 8207->8208 8209 4133a0 8207->8209 8208->8170 8262 4130c0 8209->8262 8212 4130c0 InitializeCriticalSection 8214 4133c3 8212->8214 8213 41342e 8213->8170 8214->8213 8215 4131d0 2 API calls 8214->8215 8215->8213 8217 414af2 8216->8217 8218 414b54 8216->8218 8217->8218 8219 414b0d strncpy sprintf CreateMutexA 8217->8219 8218->8172 8220 414b4b 8219->8220 8221 414b5c _snprintf OpenFileMappingA 8219->8221 8272 414880 8220->8272 8223 414b96 FindCloseChangeNotification 8221->8223 8224 414b9d 8221->8224 8223->8224 8226 414ba1 8224->8226 8227 414bb4 8224->8227 8225 414b51 8225->8218 8281 414560 8226->8281 8266 414470 8227->8266 8230 414bad 8230->8227 8234 414bd1 8230->8234 8231 414bbc 8232 414bc8 8231->8232 8233 414bda 8231->8233 8235 414880 3 API calls 8232->8235 8236 414c08 8233->8236 8237 414bde WaitForSingleObject 8233->8237 8234->8172 8238 414bce 8235->8238 8236->8172 8237->8236 8239 414bed ReleaseMutex 8237->8239 8238->8234 8239->8236 8241 413b10 8240->8241 8242 413acc 8240->8242 8241->8174 8242->8241 8243 413ae0 _snprintf 8242->8243 8243->8174 8244->8176 8246 4138a0 8245->8246 8248 4138ae 8245->8248 8289 4135b0 GetPEB 8246->8289 8250 4138c0 RtlAnsiStringToUnicodeString 8248->8250 8249 4138a5 8249->8181 8251 4138f6 LdrGetDllHandle 8250->8251 8252 4138ee 8250->8252 8251->8181 8252->8181 8290 4135d0 8253->8290 8255 414c31 OpenProcessToken 8256 414c48 LookupPrivilegeValueA 8255->8256 8257 414c3c GetLastError 8255->8257 8258 414c72 AdjustTokenPrivileges 8256->8258 8259 414c5c GetLastError CloseHandle 8256->8259 8257->8185 8260 414ca3 GetLastError 8258->8260 8261 414ca9 FindCloseChangeNotification 8258->8261 8259->8185 8260->8261 8261->8185 8263 4130f1 8262->8263 8264 4130cb 8262->8264 8263->8212 8264->8263 8265 4130e7 InitializeCriticalSection 8264->8265 8265->8263 8267 414536 8266->8267 8268 41448e _snprintf OpenFileMappingA 8266->8268 8267->8231 8269 414530 8268->8269 8270 4144e2 MapViewOfFile 8268->8270 8269->8231 8270->8267 8271 414516 CloseHandle 8270->8271 8271->8269 8273 414890 8272->8273 8274 41488b 8272->8274 8275 4148a4 8273->8275 8276 414897 CloseHandle 8273->8276 8274->8225 8277 4148b7 UnmapViewOfFile 8275->8277 8278 4148cc 8275->8278 8276->8275 8277->8275 8279 4148da CloseHandle 8278->8279 8280 4148ef 8278->8280 8279->8278 8280->8225 8287 41457a 8281->8287 8282 4146fd 8282->8230 8283 414470 4 API calls 8283->8287 8284 4145b9 _snprintf 8285 4145ed CreateFileMappingA 8284->8285 8284->8287 8285->8282 8286 414621 MapViewOfFile 8285->8286 8286->8287 8288 414706 CloseHandle 8286->8288 8287->8282 8287->8283 8287->8284 8287->8285 8288->8230 8289->8249 8290->8255 8292 4147d1 8291->8292 8293 414875 8291->8293 8292->8293 8294 4147ed InterlockedIncrement 8292->8294 8293->8143 8297 414807 8294->8297 8295 414560 8 API calls 8295->8297 8296 414470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 8296->8297 8297->8295 8297->8296 8298 41485c 8297->8298 8298->8143 8687 1c3fa0 8688 1c3fc4 8687->8688 8689 1c3fb0 8687->8689 8690 1c3fe4 8688->8690 8702 1c3fc2 DefWindowProcA 8688->8702 8691 1c401b DestroyWindow 8689->8691 8692 1c3fb6 8689->8692 8694 1c3fed CloseHandle 8690->8694 8695 1c4012 8690->8695 8696 1c3fd8 8691->8696 8697 1c3fbc 8692->8697 8698 1c3fcf 8692->8698 8694->8690 8700 1c4370 58 API calls 8695->8700 8701 1c4029 UnregisterDeviceNotification PostQuitMessage 8697->8701 8697->8702 8703 1c3f50 CLSIDFromString RegisterDeviceNotificationA 8698->8703 8700->8696 8701->8696 8702->8696 8703->8696

                                                  Executed Functions

                                                  Function 001C4370 Relevance: 119.4, APIs: 47, Strings: 21, Instructions: 441filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 129 1c4370-1c442d call 1c4c90 * 2 SHGetFolderPathA wsprintfA lstrlenA 135 1c4a51-1c4a56 129->135 136 1c4433-1c4496 GetDriveTypeA 129->136 137 1c4a4c 136->137 138 1c449c-1c452c call 1c4c90 * 2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 136->138 137->137 143 1c452e-1c4548 CloseHandle DeleteFileA 138->143 144 1c454a 138->144 145 1c454f-1c45f4 call 1c4c90 GetVolumeInformationA call 1c3ea0 call 1c40d0 lstrcatA wsprintfA FindFirstFileA 143->145 144->145 152 1c49ad-1c4a46 wsprintfA SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA CreateFileA 145->152 153 1c45fa-1c4610 lstrcmpA 145->153 152->137 154 1c4616-1c469a call 1c4c90 * 4 lstrcpyA 153->154 155 1c4991-1c49a7 FindNextFileA 153->155 164 1c46ab-1c46be lstrlenA 154->164 155->152 155->153 165 1c46fe-1c4707 164->165 166 1c46c0-1c46d0 164->166 169 1c470d-1c478d call 1c4c90 * 2 wsprintfA * 2 MoveFileA 165->169 170 1c4793-1c479c 165->170 167 1c46d4-1c46e5 166->167 168 1c46d2 166->168 171 1c46fc 167->171 172 1c46e7-1c46f5 167->172 168->165 169->170 174 1c479e 170->174 175 1c47a5-1c47ff wsprintfA * 2 StrStrA 170->175 171->165 176 1c469c-1c46a5 171->176 172->171 174->175 178 1c482a-1c483e StrStrA 175->178 179 1c4801-1c4820 SetFileAttributesA DeleteFileA 175->179 176->164 181 1c4898-1c48b4 GetFileAttributesA 178->181 182 1c4840-1c4854 StrStrA 178->182 179->155 183 1c48cc-1c490f SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 181->183 184 1c48b6-1c48bf 181->184 182->181 186 1c4856-1c486a StrStrA 182->186 188 1c4915 183->188 184->183 187 1c48c1-1c48ca 184->187 186->181 189 1c486c-1c4880 StrStrA 186->189 187->183 187->188 188->155 191 1c4917-1c4971 lstrlenA * 2 MultiByteToWideChar call 1c4140 188->191 189->181 190 1c4882-1c4896 StrStrA 189->190 190->181 190->191 191->155 194 1c4973-1c498b SetFileAttributesA * 2 191->194 194->155
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C43DD
                                                  • wsprintfA.USER32 ref: 001C43F6
                                                  • lstrlenA.KERNEL32(?), ref: 001C4421
                                                  • GetDriveTypeA.KERNELBASE(?), ref: 001C4483
                                                  • wsprintfA.USER32 ref: 001C44D8
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C44ED
                                                  • DeleteFileA.KERNEL32(?), ref: 001C44FA
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001C4519
                                                  • CloseHandle.KERNEL32(000000FF), ref: 001C4535
                                                  • DeleteFileA.KERNEL32(?), ref: 001C4542
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C457F
                                                    • Part of subcall function 001C40D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,001C45A2), ref: 001C410D
                                                  • lstrcatA.KERNEL32(?,.exe), ref: 001C45B1
                                                  • wsprintfA.USER32 ref: 001C45CA
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 001C45E1
                                                  • lstrcmpA.KERNEL32(?,?), ref: 001C4608
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C468A
                                                  • lstrlenA.KERNEL32(?), ref: 001C46B2
                                                  • wsprintfA.USER32 ref: 001C4753
                                                  • wsprintfA.USER32 ref: 001C4776
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C478D
                                                  • wsprintfA.USER32 ref: 001C47BF
                                                  • wsprintfA.USER32 ref: 001C47E2
                                                  • StrStrA.SHLWAPI(?,.lnk), ref: 001C47F7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C480D
                                                  • DeleteFileA.KERNEL32(?), ref: 001C481A
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 001C499F
                                                  • wsprintfA.USER32 ref: 001C49C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C49DC
                                                  • DeleteFileA.KERNEL32(?), ref: 001C49E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C49FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 001C4A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 001C4A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$wsprintf$AttributesDelete$lstrlen$CreateFind$CloseCopyDriveFirstFolderHandleInformationMoveNextPathTypeVolumelstrcatlstrcmplstrcpy
                                                  • String ID: %s\%s$%s\%s$%s\%s$%s\%s$%s\%s.lnk$%s\*$%s\c731200$%s\c731200$.cmd$.com$.exe$.exe$.lnk$.pif$.scr$:$:$BCDEFGHIJKLMNOPQRSTUVWXYZ$\$_$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
                                                  • API String ID: 1100892458-693930271
                                                  • Opcode ID: 3e6313e1149e084b06a785e7fcade222853d37420008b54a0b78610b026994eb
                                                  • Instruction ID: 5a2200bd71f8014494e749d336d85e6c96eada0839b57f8236e7b5207469c790
                                                  • Opcode Fuzzy Hash: 3e6313e1149e084b06a785e7fcade222853d37420008b54a0b78610b026994eb
                                                  • Instruction Fuzzy Hash: DB02D575944218ABEB20DB60DC49FEA7778BB25700F0445DDF609A6082EB75EBC8CF50
                                                  Function 001C440B Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 287filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 195 1c440b-1c442d lstrlenA 197 1c4a51-1c4a56 195->197 198 1c4433-1c4496 GetDriveTypeA 195->198 199 1c4a4c 198->199 200 1c449c-1c452c call 1c4c90 * 2 wsprintfA SetFileAttributesA DeleteFileA CreateFileA 198->200 199->199 205 1c452e-1c4548 CloseHandle DeleteFileA 200->205 206 1c454a 200->206 207 1c454f-1c45f4 call 1c4c90 GetVolumeInformationA call 1c3ea0 call 1c40d0 lstrcatA wsprintfA FindFirstFileA 205->207 206->207 214 1c49ad-1c4a46 wsprintfA SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA CreateFileA 207->214 215 1c45fa-1c4610 lstrcmpA 207->215 214->199 216 1c4616-1c469a call 1c4c90 * 4 lstrcpyA 215->216 217 1c4991-1c49a7 FindNextFileA 215->217 226 1c46ab-1c46be lstrlenA 216->226 217->214 217->215 227 1c46fe-1c4707 226->227 228 1c46c0-1c46d0 226->228 231 1c470d-1c478d call 1c4c90 * 2 wsprintfA * 2 MoveFileA 227->231 232 1c4793-1c479c 227->232 229 1c46d4-1c46e5 228->229 230 1c46d2 228->230 233 1c46fc 229->233 234 1c46e7-1c46f5 229->234 230->227 231->232 236 1c479e 232->236 237 1c47a5-1c47ff wsprintfA * 2 StrStrA 232->237 233->227 238 1c469c-1c46a5 233->238 234->233 236->237 240 1c482a-1c483e StrStrA 237->240 241 1c4801-1c4820 SetFileAttributesA DeleteFileA 237->241 238->226 243 1c4898-1c48b4 GetFileAttributesA 240->243 244 1c4840-1c4854 StrStrA 240->244 241->217 245 1c48cc-1c490f SetFileAttributesA DeleteFileA CopyFileA SetFileAttributesA 243->245 246 1c48b6-1c48bf 243->246 244->243 248 1c4856-1c486a StrStrA 244->248 250 1c4915 245->250 246->245 249 1c48c1-1c48ca 246->249 248->243 251 1c486c-1c4880 StrStrA 248->251 249->245 249->250 250->217 253 1c4917-1c4971 lstrlenA * 2 MultiByteToWideChar call 1c4140 250->253 251->243 252 1c4882-1c4896 StrStrA 251->252 252->243 252->253 253->217 256 1c4973-1c498b SetFileAttributesA * 2 253->256 256->217
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 001C4421
                                                  • GetDriveTypeA.KERNELBASE(?), ref: 001C4483
                                                  • wsprintfA.USER32 ref: 001C44D8
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C44ED
                                                  • DeleteFileA.KERNEL32(?), ref: 001C44FA
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001C4519
                                                  • CloseHandle.KERNEL32(000000FF), ref: 001C4535
                                                  • DeleteFileA.KERNEL32(?), ref: 001C4542
                                                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C457F
                                                    • Part of subcall function 001C40D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,001C45A2), ref: 001C410D
                                                  • lstrcatA.KERNEL32(?,.exe), ref: 001C45B1
                                                  • wsprintfA.USER32 ref: 001C45CA
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 001C45E1
                                                  • lstrcmpA.KERNEL32(?,?), ref: 001C4608
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C468A
                                                  • lstrlenA.KERNEL32(?), ref: 001C46B2
                                                  • wsprintfA.USER32 ref: 001C4753
                                                  • wsprintfA.USER32 ref: 001C4776
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C478D
                                                  • wsprintfA.USER32 ref: 001C47BF
                                                  • wsprintfA.USER32 ref: 001C47E2
                                                  • StrStrA.SHLWAPI(?,.lnk), ref: 001C47F7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C480D
                                                  • DeleteFileA.KERNEL32(?), ref: 001C481A
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 001C499F
                                                  • wsprintfA.USER32 ref: 001C49C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C49DC
                                                  • DeleteFileA.KERNEL32(?), ref: 001C49E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C49FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 001C4A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 001C4A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$wsprintf$AttributesDelete$lstrlen$CreateFind$CloseCopyDriveFirstHandleInformationMoveNextTypeVolumelstrcatlstrcmplstrcpy
                                                  • String ID: %s\%s$%s\%s$%s\%s$%s\%s$%s\%s.lnk$%s\*$%s\c731200$.exe$.lnk$:$:$\
                                                  • API String ID: 3081613290-300744826
                                                  • Opcode ID: e3f70494b1af07a3f45d10fabe7473942e6a9224f43c32ce75643b93d7294761
                                                  • Instruction ID: b9d802dde47cae4d9f64a10f6dca7f98ebfc090e891187449cf68aaa2a82ac08
                                                  • Opcode Fuzzy Hash: e3f70494b1af07a3f45d10fabe7473942e6a9224f43c32ce75643b93d7294761
                                                  • Instruction Fuzzy Hash: C1C1B175948358ABEB20DB60DC49FE97B38AB25700F0445C9F60DA6182EB75EBD8CF50
                                                  Function 001C89D0 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 127filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 313 1c89d0-1c8a67 SHGetSpecialFolderPathA GetComputerNameA CharLowerA lstrlenA wsprintfA FindFirstFileA 314 1c8a6d-1c8a76 313->314 315 1c8bd9-1c8be9 FindClose 313->315 316 1c8a7c-1c8a86 314->316 317 1c8bbd-1c8bd3 FindNextFileA 314->317 318 1c8a88-1c8a91 316->318 319 1c8a93-1c8a9d 316->319 317->314 317->315 318->319 320 1c8ab6 318->320 321 1c8a9f-1c8aa9 319->321 322 1c8abb-1c8adc CharLowerA 319->322 320->317 321->322 323 1c8aab-1c8ab4 321->323 324 1c8aed-1c8af9 322->324 323->320 323->322 325 1c8b29-1c8b30 324->325 326 1c8afb-1c8b19 324->326 325->317 329 1c8b36-1c8bab call 1ca9e0 wsprintfA * 2 MoveFileA 325->329 327 1c8b1b-1c8b25 326->327 328 1c8b27 326->328 327->325 328->324 329->317 333 1c8bad-1c8bb6 GetLastError 329->333 333->317 334 1c8bb8 333->334 334->329
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 001C89E6
                                                  • GetComputerNameA.KERNEL32(?,00000104), ref: 001C8A04
                                                  • CharLowerA.USER32(?), ref: 001C8A11
                                                  • lstrlenA.KERNEL32(?), ref: 001C8A1E
                                                  • wsprintfA.USER32 ref: 001C8A3D
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 001C8A54
                                                  • CharLowerA.USER32(?), ref: 001C8AC2
                                                  • wsprintfA.USER32 ref: 001C8B68
                                                  • wsprintfA.USER32 ref: 001C8B8B
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C8BA2
                                                  • GetLastError.KERNEL32 ref: 001C8BAD
                                                  • FindNextFileA.KERNELBASE(000000FF,?), ref: 001C8BCB
                                                  • FindClose.KERNELBASE(000000FF), ref: 001C8BE0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FileFindwsprintf$CharLower$CloseComputerErrorFirstFolderLastMoveNameNextPathSpeciallstrlen
                                                  • String ID: %s\%s$%s\%s$%s\*.*
                                                  • API String ID: 626640802-3236339881
                                                  • Opcode ID: 7adbea730a08f372d1f3aa5a690d0fab9e408848e944bfba62c95a50c851d69f
                                                  • Instruction ID: 1ebd32585f0af78324c4cd94f0af6efb677dbb94f5e9dc5269b78a3230ec89ae
                                                  • Opcode Fuzzy Hash: 7adbea730a08f372d1f3aa5a690d0fab9e408848e944bfba62c95a50c851d69f
                                                  • Instruction Fuzzy Hash: 51519CB58402289BDB24CB60CCC8FEA7B79AB66301F5445C9E609A2941EB35DFD4CF50
                                                  Function 001C8020 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 95fileprocessstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • wsprintfA.USER32 ref: 001C803F
                                                  • FindFirstFileA.KERNELBASE(?,?), ref: 001C8056
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C8087
                                                  • Process32First.KERNEL32(000000FF,00000128), ref: 001C80AD
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 001C80C4
                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001C80D9
                                                  • TerminateProcess.KERNEL32(?,00000000), ref: 001C80EE
                                                  • CloseHandle.KERNEL32(?), ref: 001C80FB
                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000128,00000002,00000000), ref: 001C8121
                                                  • wsprintfA.USER32 ref: 001C813E
                                                  • DeleteFileA.KERNELBASE(?), ref: 001C814E
                                                  • FindNextFileA.KERNELBASE(000000FF,?), ref: 001C815F
                                                  • FindClose.KERNELBASE(000000FF), ref: 001C8171
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFile$FirstProcesswsprintf$ChangeCreateDeleteHandleNextNotificationOpenProcess32SnapshotTerminateToolhelp32lstrcmpi
                                                  • String ID: %s\%s$%s\*.*
                                                  • API String ID: 2442323009-1665845743
                                                  • Opcode ID: 101b30d2c6cdb55523cca7315f00cfc5f113d1cedc887f0697cbf4199f6a4db2
                                                  • Instruction ID: 512ad606558c384d0a0ca7f0d6c8f9e16885c8008b8f2d2ff54f56ca2d3fe358
                                                  • Opcode Fuzzy Hash: 101b30d2c6cdb55523cca7315f00cfc5f113d1cedc887f0697cbf4199f6a4db2
                                                  • Instruction Fuzzy Hash: F9316FB1940218AFDB24DBA4CC89FEE77B8AB59700F04868CF609A2151DF34DAC58F54
                                                  Function 001C8200 Relevance: 18.1, APIs: 12, Instructions: 111COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 374 1c8200-1c821b 375 1c8221-1c823d 374->375 375->375 376 1c823f-1c8269 375->376 377 1c829f-1c82ab 376->377 378 1c826b-1c8283 StrCmpNIA 376->378 380 1c82ad-1c82c4 StrCmpNIA 377->380 381 1c82e0-1c831a PathRemoveArgsA PathFindFileNameA CreateToolhelp32Snapshot 377->381 378->377 379 1c8285-1c8295 call 1c8c10 378->379 382 1c83a8-1c83b0 379->382 380->381 385 1c82c6-1c82d6 call 1c8c10 380->385 381->382 383 1c8320-1c8335 Process32First 381->383 386 1c839b-1c83a2 FindCloseChangeNotification 383->386 387 1c8337-1c834d lstrcmpiA 383->387 385->382 386->382 391 1c834f-1c8382 OpenProcess TerminateProcess CloseHandle 387->391 392 1c8384-1c8399 Process32Next 387->392 391->386 392->386 392->387
                                                  APIs
                                                  • StrCmpNIA.KERNELBASE(?,001D1C48,?), ref: 001C827B
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f7b34e6404043353c8871cd8c9b64b4df1322826efbbc94b878e58830b32e38f
                                                  • Instruction ID: 696ef21c979ce517fbcb650a378d82f81e5c370c849dbc28bfe1b6aabdbaf022
                                                  • Opcode Fuzzy Hash: f7b34e6404043353c8871cd8c9b64b4df1322826efbbc94b878e58830b32e38f
                                                  • Instruction Fuzzy Hash: A241EA71A01258ABCB24DFA4DC85FEEB7B9BB59700F044589F609A7291DB34EE90CF50
                                                  Function 001C5C20 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 58filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 419 1c5c20-1c5c59 FindFirstFileA 420 1c5c5b 419->420 421 1c5c60-1c5c69 419->421 422 1c5d07-1c5d0a 420->422 423 1c5cde-1c5cf4 FindNextFileA 421->423 424 1c5c6b-1c5cd8 SetFileAttributesA call 1c4ef0 call 1c4c90 lstrcpyA lstrcatA MoveFileExA 421->424 423->421 426 1c5cfa-1c5d01 FindClose 423->426 424->423 426->422
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(*.exe,?), ref: 001C5C46
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C5C77
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C5CB0
                                                  • lstrcatA.KERNEL32(?,.gonewiththewings), ref: 001C5CC2
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001C5CD8
                                                  • FindNextFileA.KERNELBASE(000000FF,?), ref: 001C5CEC
                                                  • FindClose.KERNEL32(000000FF), ref: 001C5D01
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseFirstMoveNextlstrcatlstrcpy
                                                  • String ID: *.exe$.gonewiththewings
                                                  • API String ID: 1705839981-2409806945
                                                  • Opcode ID: dbc854664971f6e564d0c6c7716a595e6f330285b03ba5b6b007766e28e2b69a
                                                  • Instruction ID: c622fc23ce254f24cb2a2a7280c3add196de7d774bffd29e13e8ca0782bc1afc
                                                  • Opcode Fuzzy Hash: dbc854664971f6e564d0c6c7716a595e6f330285b03ba5b6b007766e28e2b69a
                                                  • Instruction Fuzzy Hash: 2E216D75840318ABCB24DBA0DC49FEA777CBB18700F044688F609A6591DB35EBC4CF90
                                                  Function 00415A20 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 189threadlibraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 430 415a20-415a31 call 4135e0 433 415a37-415a3e call 413a20 430->433 434 415c49-415c4c 430->434 433->434 437 415a44-415a5b 433->437 438 415a61-415a68 437->438 439 415ae5-415b4a call 414d00 LdrEnumerateLoadedModules call 413080 * 2 437->439 438->439 440 415a6a-415a76 438->440 451 415b4f-415b63 439->451 440->439 442 415a78-415a87 call 413920 440->442 448 415c46-415c48 442->448 449 415a8d-415a97 442->449 448->434 452 415a99 449->452 453 415a9c-415aa0 449->453 454 415b70-415b85 451->454 455 415b65-415b6c 451->455 452->453 456 415aa2-415aa5 453->456 457 415ad8-415ae3 453->457 459 415b87-415b8b 454->459 460 415bcc-415be5 454->460 455->454 458 415aaa-415aac 456->458 457->439 457->442 461 415ab3 458->461 462 415aae-415ab1 458->462 463 415bc3-415bca 459->463 464 415b8d-415ba7 call 4139a0 459->464 465 415bf4-415c0a CreateThread CloseHandle 460->465 466 415be7-415bf2 460->466 468 415ab7-415ab9 call 413750 461->468 462->468 463->459 463->460 464->463 476 415ba9-415bbf 464->476 467 415c0c-415c1f 465->467 466->465 466->467 470 415c21-415c2c 467->470 471 415c2e-415c44 CreateThread CloseHandle 467->471 475 415abe-415ac2 468->475 470->448 470->471 471->448 475->448 478 415ac8-415ad3 475->478 476->463 479 415ad5 478->479 480 415aa7 478->480 479->457 480->458
                                                  APIs
                                                  • LdrEnumerateLoadedModules.NTDLL(00000000,Function_00005040,?), ref: 00415B0D
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005070,00000000,00000000,00000000), ref: 00415C03
                                                  • CloseHandle.KERNEL32(00000000), ref: 00415C0A
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000050F0,00000000,00000000,00000000), ref: 00415C3D
                                                  • CloseHandle.KERNEL32(00000000), ref: 00415C44
                                                    • Part of subcall function 00413920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00413962
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleStringThread$AnsiEnumerateLoadedModulesUnicode
                                                  • String ID: LdrLoadDll$NtResumeThread$ntdll.dll
                                                  • API String ID: 1691487058-1814628691
                                                  • Opcode ID: 36455dbcfef3f579337d30bc6aad9bf4d9f2159af335cf1d09b1157bf6d12444
                                                  • Instruction ID: 759b4e43f2ba6cb7e15d7ac347b6e2e06c64b80d995297b323e83bcfd2e150a6
                                                  • Opcode Fuzzy Hash: 36455dbcfef3f579337d30bc6aad9bf4d9f2159af335cf1d09b1157bf6d12444
                                                  • Instruction Fuzzy Hash: 4D61DF75740B02EBDB20CF65CC81FEA73A4AF84745F14452AE8019B391E778F982CB98
                                                  Function 00414C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00414E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 00414C32
                                                  • GetLastError.KERNEL32 ref: 00414C3C
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 00414C52
                                                  • GetLastError.KERNEL32 ref: 00414C5C
                                                  • CloseHandle.KERNEL32(?), ref: 00414C66
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                  • String ID:
                                                  • API String ID: 1673749002-0
                                                  • Opcode ID: 872a59cf997422ba8964b74adcf4ff97e5c59e5c7a5cd62146007742107b1174
                                                  • Instruction ID: 923dc70b709353851b70b745348eb8414ac1483db2d934e2f301b32403a49124
                                                  • Opcode Fuzzy Hash: 872a59cf997422ba8964b74adcf4ff97e5c59e5c7a5cd62146007742107b1174
                                                  • Instruction Fuzzy Hash: A211A035B00208ABDB20DFA4DC09FBF77B8EB58701F404569FE09D6290EA719E008BA4
                                                  Function 00414D00 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: NtGetNextProcess$SeDebugPrivilege$ntdll.dll
                                                  • API String ID: 0-503679825
                                                  • Opcode ID: 822a26e46369c7db38e657e305fadd3da96e5e58e443a7110933050ddf3c9268
                                                  • Instruction ID: d8027b9c3b0d2bd83cc65e0c8e17f58579d723fd38b948d3c59ab7bc841ec105
                                                  • Opcode Fuzzy Hash: 822a26e46369c7db38e657e305fadd3da96e5e58e443a7110933050ddf3c9268
                                                  • Instruction Fuzzy Hash: 0631C9B4B4431476E610BF76AC07BEE32549B44B49F00446BB844E7292FBBC968187AE
                                                  Function 001C5D10 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 31fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(*.gonewiththewings,?), ref: 001C5D25
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C5D48
                                                  • DeleteFileA.KERNELBASE(?), ref: 001C5D55
                                                  • FindNextFileA.KERNELBASE(000000FF,?), ref: 001C5D69
                                                  • FindClose.KERNEL32(000000FF), ref: 001C5D7A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Find$AttributesCloseDeleteFirstNext
                                                  • String ID: *.gonewiththewings
                                                  • API String ID: 1425421994-3334882037
                                                  • Opcode ID: 921d622d72c7c27ec29b007d2fc5ce8ee39fba9a5b7ae19029e6e81dee0d2970
                                                  • Instruction ID: bb325c64b94cc9c0e62ed409120e64b9bf158057497d65974dc1fba025478136
                                                  • Opcode Fuzzy Hash: 921d622d72c7c27ec29b007d2fc5ce8ee39fba9a5b7ae19029e6e81dee0d2970
                                                  • Instruction Fuzzy Hash: ADF06D7494021DAFCB249BB0DD48FED7B38BB19700F4046C8EA0E921A1D734EAC48F61
                                                  Function 001C58C0 Relevance: 9.2, APIs: 6, Instructions: 155memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsBadReadPtr.KERNEL32(001C5AF4,?), ref: 001C58EA
                                                  • VirtualAllocEx.KERNELBASE(001C7810,00000000,?,00003000,00000040), ref: 001C590C
                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001C592C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual$Read
                                                  • String ID:
                                                  • API String ID: 3755761445-0
                                                  • Opcode ID: 03e9d86f09545af3727c0665c5a04a244de3c27a3c37a81dcb272270e117506e
                                                  • Instruction ID: f7b7162f5237da8f00e48de4baefdf90670b92d52247293739b06e8ead349a78
                                                  • Opcode Fuzzy Hash: 03e9d86f09545af3727c0665c5a04a244de3c27a3c37a81dcb272270e117506e
                                                  • Instruction Fuzzy Hash: 8561A274A00209EFCB04CF99C994FAEBBB2BF48701F148259E915AB391D735E981CB64
                                                  Function 001C5AD0 Relevance: 9.1, APIs: 6, Instructions: 97injectionmemorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001C5AA0: VirtualQuery.KERNEL32(001C5AA0,?,0000001C,?,?,?,?,?,?,?,?,?,001C5ADE), ref: 001C5AC1
                                                    • Part of subcall function 001C58C0: IsBadReadPtr.KERNEL32(001C5AF4,?), ref: 001C58EA
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,000000FE), ref: 001C5B4A
                                                  • VirtualAllocEx.KERNEL32(001C7810,00000000,00000104,00001000,00000004), ref: 001C5B62
                                                  • WriteProcessMemory.KERNEL32(001C7810,00000000,?,00000104,?), ref: 001C5B95
                                                  • CreateRemoteThread.KERNEL32(001C7810,00000000,00000000,?,00000000,00000000,00000000), ref: 001C5BB9
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Virtual$AllocCreateFileMemoryModuleNameProcessQueryReadRemoteThreadWrite
                                                  • String ID:
                                                  • API String ID: 2663169638-0
                                                  • Opcode ID: 76ba6083b2bab5b2b6ddad5961e3826630e3f3be0cb0b6dd66bc8b3e5c11a5d3
                                                  • Instruction ID: 2552eb5d56ebc358905f40015607e6cfee375be1c723f58d402ce6fe9b5b111b
                                                  • Opcode Fuzzy Hash: 76ba6083b2bab5b2b6ddad5961e3826630e3f3be0cb0b6dd66bc8b3e5c11a5d3
                                                  • Instruction Fuzzy Hash: 0E313075A40258BFDB24DF60CC46FEA7779AB69700F108598F609AA1C0D7B0EEC08F95
                                                  Function 00415C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00415A20: LdrEnumerateLoadedModules.NTDLL(00000000,Function_00005040,?), ref: 00415B0D
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000800,00000000), ref: 00415C80
                                                    • Part of subcall function 004149F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,004173CC,00447C98,00000000,00000000,00000010,00000000), ref: 00414A10
                                                    • Part of subcall function 004149F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00414A77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: EnumerateInformationLoadedModulesMutexObjectProcessQueryReleaseSingleWait
                                                  • String ID: STFU
                                                  • API String ID: 2599885325-778810564
                                                  • Opcode ID: 073d49007b21dbee863f0af3dd3c5a7424e8048b7f000207f3c3477655afa42f
                                                  • Instruction ID: 1b69ab5f81243ea80e9b184ef109718236b14aa2df5e8a02d88a893ffdf0cf07
                                                  • Opcode Fuzzy Hash: 073d49007b21dbee863f0af3dd3c5a7424e8048b7f000207f3c3477655afa42f
                                                  • Instruction Fuzzy Hash: 6901DDF1B40304BAE7509FA59C02BEB72ACEB44701F0041A6B944D7181FD74998487E9
                                                  Function 001C5ED0 Relevance: 121.3, APIs: 61, Strings: 8, Instructions: 511stringfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 1c5ed0-1c66a3 call 1c8bf0 call 1c4c90 SHGetFolderPathA lstrcatA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 * 2 call 1c5e90 wsprintfA lstrcatA SetFileAttributesA lstrcpyA SetCurrentDirectoryA call 1c5c20 call 1c5d10 SetCurrentDirectoryA StrRChrA lstrlenA call 1ca9e0 MoveFileA GetLastError wsprintfA * 2 lstrcatA SetFileAttributesA lstrcpyA SetCurrentDirectoryA call 1c5c20 call 1c5d10 SetCurrentDirectoryA StrRChrA lstrlenA call 1ca9e0 MoveFileA GetLastError wsprintfA call 1c4c90 SHGetFolderPathA lstrcatA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 SHGetFolderPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA lstrcatA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetEnvironmentVariableA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 SHGetFolderPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 SHGetFolderPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 SHGetFolderPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 SHGetFolderPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 call 1c4c90 GetTempPathA SetCurrentDirectoryA call 1c5c20 call 1c5d10 128 1c66a8-1c66ab 0->128
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C5F0E
                                                  • lstrcatA.KERNEL32(?,\Microsoft), ref: 001C5F20
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C5F2D
                                                    • Part of subcall function 001C5C20: FindFirstFileA.KERNELBASE(*.exe,?), ref: 001C5C46
                                                    • Part of subcall function 001C5D10: FindFirstFileA.KERNELBASE(*.gonewiththewings,?), ref: 001C5D25
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C5F69
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C5F76
                                                    • Part of subcall function 001C5C20: SetFileAttributesA.KERNEL32(?,00000080), ref: 001C5C77
                                                    • Part of subcall function 001C5C20: lstrcpyA.KERNEL32(?,?), ref: 001C5CB0
                                                    • Part of subcall function 001C5C20: lstrcatA.KERNEL32(?,.gonewiththewings), ref: 001C5CC2
                                                    • Part of subcall function 001C5C20: MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001C5CD8
                                                    • Part of subcall function 001C5C20: FindNextFileA.KERNELBASE(000000FF,?), ref: 001C5CEC
                                                    • Part of subcall function 001C5C20: FindClose.KERNEL32(000000FF), ref: 001C5D01
                                                    • Part of subcall function 001C5D10: SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C5D48
                                                    • Part of subcall function 001C5D10: DeleteFileA.KERNELBASE(?), ref: 001C5D55
                                                    • Part of subcall function 001C5D10: FindNextFileA.KERNELBASE(000000FF,?), ref: 001C5D69
                                                    • Part of subcall function 001C5D10: FindClose.KERNEL32(000000FF), ref: 001C5D7A
                                                    • Part of subcall function 001C5E90: GetSystemWindowsDirectoryA.KERNEL32(?,0000001E), ref: 001C5E9C
                                                  • wsprintfA.USER32 ref: 001C5FEE
                                                  • lstrcatA.KERNEL32(?,\CreativeAudio), ref: 001C6003
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C6015
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C6029
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6036
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6057
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C6068
                                                  • lstrlenA.KERNEL32(?), ref: 001C608A
                                                    • Part of subcall function 001CA9E0: GetTickCount.KERNEL32 ref: 001CA9ED
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C60AE
                                                  • GetLastError.KERNEL32 ref: 001C60B4
                                                  • wsprintfA.USER32 ref: 001C60D3
                                                  • wsprintfA.USER32 ref: 001C60EF
                                                  • lstrcatA.KERNEL32(?,\CreativeAudio), ref: 001C6104
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C6116
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C612A
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6137
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6158
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C6169
                                                  • lstrlenA.KERNEL32(?), ref: 001C618B
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C61AF
                                                  • GetLastError.KERNEL32 ref: 001C61B5
                                                  • wsprintfA.USER32 ref: 001C61D4
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C6202
                                                  • lstrcatA.KERNEL32(?,\Identities), ref: 001C6214
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6221
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C625D
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C626A
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C62A9
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C62B6
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C62F2
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C62FF
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C633B
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6348
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C6384
                                                  • lstrcatA.KERNEL32(?,\adobe), ref: 001C6396
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C63A3
                                                  • GetEnvironmentVariableA.KERNEL32(ALLUSERSPROFILE,?,00000103), ref: 001C63E4
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C63F1
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C642D
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C643A
                                                  • SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 001C6479
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6486
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C64C2
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C64CF
                                                  • SHGetFolderPathA.SHELL32(00000000,00000007,00000000,00000000,?), ref: 001C650E
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C651B
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C6557
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6564
                                                  • SHGetFolderPathA.SHELL32(00000000,00000018,00000000,00000000,?), ref: 001C65A3
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C65B0
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C65EC
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C65F9
                                                  • SHGetFolderPathA.SHELL32(00000000,00000007,00000000,00000000,?), ref: 001C6638
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C6645
                                                  • GetTempPathA.KERNEL32(00000103,?), ref: 001C6681
                                                  • SetCurrentDirectoryA.KERNELBASE(?), ref: 001C668E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Directory$Current$Path$File$Temp$Folder$Findlstrcat$Attributeswsprintf$Movelstrcpy$CloseErrorFirstLastNextlstrlen$CountDeleteEnvironmentSystemTickVariableWindows
                                                  • String ID: %s\Program Files\Common Files$%s\programdata$ALLUSERSPROFILE$\CreativeAudio$\CreativeAudio$\Identities$\Microsoft$\adobe
                                                  • API String ID: 1600014326-639403373
                                                  • Opcode ID: 32de4e458f82d5e196fb5e92b9bc50f97c5604ae91c0d71a3a1feaa256ea4fb3
                                                  • Instruction ID: 4285dc43463f784570debbed42fbb22dde5f729912510472517d668940f18062
                                                  • Opcode Fuzzy Hash: 32de4e458f82d5e196fb5e92b9bc50f97c5604ae91c0d71a3a1feaa256ea4fb3
                                                  • Instruction Fuzzy Hash: BE1271B5E403187BD710EBA0EC4AFD97738AB78705F440498B309A6182EFB5E6D48F65
                                                  Function 001C7810 Relevance: 56.2, APIs: 20, Strings: 12, Instructions: 193registryfilestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • GetFileAttributesExA.KERNEL32(00000000,00000000,?), ref: 001C783D
                                                  • GetEnvironmentVariableA.KERNEL32(APPDATA,?,00000103), ref: 001C788B
                                                  • lstrcatA.KERNEL32(?,\Update), ref: 001C789D
                                                  • CreateDirectoryA.KERNELBASE(?,00000000), ref: 001C78AC
                                                  • lstrcatA.KERNEL32(?,\Explorer.exe), ref: 001C78BE
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C78EB
                                                  • DeleteFileA.KERNELBASE(?), ref: 001C78F8
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C790E
                                                  • RegOpenKeyA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,?), ref: 001C7925
                                                  • RegSetValueExA.KERNELBASE(?,Windows Explorer Manager,00000000,00000001,?,?), ref: 001C7998
                                                  • RegCloseKey.KERNELBASE(?), ref: 001C79A5
                                                  • SetLastError.KERNEL32(00000000), ref: 001C79AD
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,SVCHOST_MUTEX_OBJECT_RELEASED_c000900), ref: 001C79BC
                                                  • GetLastError.KERNEL32 ref: 001C79C2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreateErrorLastlstrcat$CloseCopyDeleteDirectoryEnvironmentMutexOpenValueVariable
                                                  • String ID: %$APPDATA$D$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$SVCHOST_MUTEX_OBJECT_RELEASED_c000900$Windows Explorer Manager$\Explorer.exe$\Update$\mspaint.exe$msiexec.exe$mspaint.exe$notepad.exe
                                                  • API String ID: 3000446578-2649343952
                                                  • Opcode ID: 21d2c219f627311c3e82f393b9de5f01ea947dccfab4a396cb03806e3e312d95
                                                  • Instruction ID: 11cb41c55bda5894fd6aeaf51b88bda5e223633aac52e5a42bdebb86ca6050e7
                                                  • Opcode Fuzzy Hash: 21d2c219f627311c3e82f393b9de5f01ea947dccfab4a396cb03806e3e312d95
                                                  • Instruction Fuzzy Hash: 96712E71A84314BFEB209BA0DC4AFD97778AB65B04F044088F349A61D1DBB5EAC4CF56
                                                  Function 001C5730 Relevance: 45.6, APIs: 15, Strings: 11, Instructions: 105libraryregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • VirtualQuery.KERNEL32(001C5730,?,0000001C), ref: 001C577F
                                                  • LoadLibraryA.KERNEL32(user32.dll), ref: 001C5790
                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 001C579B
                                                  • LoadLibraryA.KERNEL32(shell32.dll), ref: 001C57A6
                                                  • LoadLibraryA.KERNEL32(urlmon.dll), ref: 001C57B1
                                                  • LoadLibraryA.KERNEL32(wininet.dll), ref: 001C57BC
                                                  • LoadLibraryA.KERNEL32(gdi32.dll), ref: 001C57C7
                                                  • LoadLibraryA.KERNEL32(rpcrt4.dll), ref: 001C57D2
                                                  • LoadLibraryA.KERNEL32(netapi32.dll), ref: 001C57DD
                                                  • GetTickCount.KERNEL32 ref: 001C5821
                                                    • Part of subcall function 001C4370: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C43DD
                                                    • Part of subcall function 001C4370: wsprintfA.USER32 ref: 001C43F6
                                                    • Part of subcall function 001C4370: lstrlenA.KERNEL32(?), ref: 001C4421
                                                    • Part of subcall function 001C4370: GetDriveTypeA.KERNELBASE(?), ref: 001C4483
                                                    • Part of subcall function 001C4370: wsprintfA.USER32 ref: 001C44D8
                                                    • Part of subcall function 001C4370: SetFileAttributesA.KERNEL32(?,00000080), ref: 001C44ED
                                                    • Part of subcall function 001C4370: DeleteFileA.KERNEL32(?), ref: 001C44FA
                                                    • Part of subcall function 001C4370: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 001C4519
                                                  • RegisterClassA.USER32(00000003), ref: 001C5843
                                                  • CreateWindowExA.USER32(00000000,USBProc,USB,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 001C5872
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$File$Createwsprintf$AttributesClassCountDeleteDriveFolderPathQueryRegisterTickTypeVirtualWindowlstrlen
                                                  • String ID: USB$USBProc$USBProc$advapi32.dll$gdi32.dll$netapi32.dll$rpcrt4.dll$shell32.dll$urlmon.dll$user32.dll$wininet.dll
                                                  • API String ID: 2586757493-1785499669
                                                  • Opcode ID: 9aa7265b5c57059d51fdd4682756603cddd53992ae6ad4ca8ed9a58a2f07d35c
                                                  • Instruction ID: 4b22ac9094e5ab29d20f48d3ad5d87d9d678e84cf6aba4ea672d54d1f842e957
                                                  • Opcode Fuzzy Hash: 9aa7265b5c57059d51fdd4682756603cddd53992ae6ad4ca8ed9a58a2f07d35c
                                                  • Instruction Fuzzy Hash: 3E312E799C1348BBDB009FE0EC0EF9D7B78AB25705F14400DF602AA692DBB5D5848B61
                                                  Function 001C8520 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 200threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 347 1c8520-1c8559 SHGetSpecialFolderPathA 348 1c855f-1c85a0 347->348 348->348 349 1c85a2-1c85aa 348->349 350 1c85b0-1c85cd 349->350 350->350 351 1c85cf-1c8626 350->351 352 1c862c-1c866d 351->352 352->352 353 1c866f-1c8677 352->353 354 1c867d-1c869a 353->354 354->354 355 1c869c-1c86c5 354->355 356 1c86cb-1c86e7 355->356 356->356 357 1c86e9-1c871a 356->357 358 1c8720-1c873c 357->358 358->358 359 1c873e-1c889c CreateThread * 4 call 1c7fe0 call 1c8180 * 2 CreateThread * 2 WaitForMultipleObjects 358->359
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 001C8537
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C83C0,001D1828,00000000,001C8BF8), ref: 001C87C0
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C83C0,001D1620,00000000,?), ref: 001C87DD
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C83C0,001D140C,00000000,?), ref: 001C87FA
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C83C0,001D1C40,00000000,?), ref: 001C8817
                                                    • Part of subcall function 001C7FE0: GetVersionExA.KERNEL32(00000094), ref: 001C7FFA
                                                    • Part of subcall function 001C8180: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 001C8199
                                                    • Part of subcall function 001C8180: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 001C81AE
                                                    • Part of subcall function 001C8180: wsprintfA.USER32 ref: 001C81D1
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C8020,001D1308,00000000,001C5EE9), ref: 001C8862
                                                  • CreateThread.KERNELBASE(00000000,00000000,001C8020,001D10B0,00000000,?), ref: 001C887F
                                                  • WaitForMultipleObjects.KERNEL32(00000006,?,00000001,000000FF), ref: 001C8892
                                                  Strings
                                                  • \Microsoft\Windows, xrefs: 001C85D5
                                                  • \Update, xrefs: 001C86A2
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001C8766
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 001C877A
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 001C87A2
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001C878E
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateThread$FolderPathSpecial$MultipleObjectsVersionWaitwsprintf
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$Software\Microsoft\Windows\CurrentVersion\RunOnce$\Microsoft\Windows$\Update
                                                  • API String ID: 795435823-3111104849
                                                  • Opcode ID: 5f72ff15c692f6346b301317bb0826d2ec7c1fb0540de3c031277507028b9f1c
                                                  • Instruction ID: de60045de08b97c691d6dd68c2e767106d851a28b016e6b522915951fc00016f
                                                  • Opcode Fuzzy Hash: 5f72ff15c692f6346b301317bb0826d2ec7c1fb0540de3c031277507028b9f1c
                                                  • Instruction Fuzzy Hash: BAA15574E84368AFDB24CF64DC85BE9BBB1BB19704F1441C9E508A7391CBB1AA84CF44
                                                  Function 001C88A0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 74filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 001C88B6
                                                  • wsprintfA.USER32 ref: 001C88D6
                                                    • Part of subcall function 001CA9E0: GetTickCount.KERNEL32 ref: 001CA9ED
                                                  • wsprintfA.USER32 ref: 001C8911
                                                  • SetFileAttributesA.KERNELBASE(?,00000080), ref: 001C8926
                                                  • MoveFileA.KERNEL32(?,?), ref: 001C893A
                                                  • GetLastError.KERNEL32 ref: 001C8949
                                                  • lstrlenA.KERNEL32(?), ref: 001C8981
                                                  • SHFileOperationA.SHELL32(?), ref: 001C89B1
                                                  • MoveFileA.KERNEL32(?,00000000), ref: 001C89C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Movewsprintf$AttributesCountErrorFolderLastOperationPathSpecialTicklstrlen
                                                  • String ID: %s\%s$%s\Recycler
                                                  • API String ID: 1234021666-2144182538
                                                  • Opcode ID: 28cefe381214b0aaba51d0f133af44e1277dbceb5daded15804996401db8919f
                                                  • Instruction ID: f4a44e0f3fcd5b019de09d4de446abf2e26512a29faae3b36ae049658c2cd527
                                                  • Opcode Fuzzy Hash: 28cefe381214b0aaba51d0f133af44e1277dbceb5daded15804996401db8919f
                                                  • Instruction Fuzzy Hash: C731817588021CABDB21DB60DC89FE97B7CAB25704F4045D8E60DA6181EBB4DBD8CF51
                                                  Function 00414AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 393 414ae0-414af0 394 414af2-414af7 393->394 395 414b54-414b5b 393->395 394->395 396 414af9-414b49 call 4135f0 strncpy sprintf CreateMutexA 394->396 399 414b4b-414b51 call 414880 396->399 400 414b5c-414b94 _snprintf OpenFileMappingA 396->400 399->395 402 414b96-414b97 FindCloseChangeNotification 400->402 403 414b9d-414b9f 400->403 402->403 405 414ba1-414bb2 call 414560 403->405 406 414bb4-414bb7 call 414470 403->406 405->406 413 414bd1-414bd9 405->413 410 414bbc-414bc6 406->410 411 414bc8-414bce call 414880 410->411 412 414bda-414bdc 410->412 411->413 415 414c08-414c13 412->415 416 414bde-414beb WaitForSingleObject 412->416 416->415 418 414bed-414c02 ReleaseMutex 416->418 418->415
                                                  APIs
                                                  • strncpy.MSVCRT ref: 00414B1A
                                                  • sprintf.MSVCRT ref: 00414B2C
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00414B3F
                                                  • _snprintf.MSVCRT ref: 00414B6F
                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 00414B85
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00414B97
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00414BE3
                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00414C02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Mutex$ChangeCloseCreateFileFindMappingNotificationObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                  • String ID: %s_0$-%sMutex
                                                  • API String ID: 1674471773-892854768
                                                  • Opcode ID: 614d5cbe4b194be4957b297e5bb8d4845ce506502980fc9f538012618df21a30
                                                  • Instruction ID: d24fc83520849de25c999b7310bfae2f9fc29d61fa5c6db081ec6c476c5f2279
                                                  • Opcode Fuzzy Hash: 614d5cbe4b194be4957b297e5bb8d4845ce506502980fc9f538012618df21a30
                                                  • Instruction Fuzzy Hash: 58315AB57002046BD7209F65EC81FDB73ECAF90714F04452BF94897291EAB8E9C58698
                                                  Function 001C8180 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 001C8199
                                                  • SHGetSpecialFolderPathA.SHELL32(00000000,?,00000024,00000000), ref: 001C81AE
                                                  • wsprintfA.USER32 ref: 001C81D1
                                                  Strings
                                                  • %s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup, xrefs: 001C81C8
                                                  • %s\Documents and Settings\All users\Start Menu\Programs\Startup, xrefs: 001C81E3
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FolderPathSpecial$wsprintf
                                                  • String ID: %s\Documents and Settings\All users\Start Menu\Programs\Startup$%s\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
                                                  • API String ID: 1457244361-2502705976
                                                  • Opcode ID: 108269e0d4a4c2b67d9bdf96ea2f3fbe936a4afad8b32d9d4c5f8e1e1e7cf9a1
                                                  • Instruction ID: 433d59ebee1043f5a63b5d3b0b4a21628349cae26c63a30bf46d6296a97d4de2
                                                  • Opcode Fuzzy Hash: 108269e0d4a4c2b67d9bdf96ea2f3fbe936a4afad8b32d9d4c5f8e1e1e7cf9a1
                                                  • Instruction Fuzzy Hash: 21016D30584208AFEB14DF54DC4AFEA3768AB21B05F484148FA495A1D0DBB4E9D4CB52
                                                  Function 001C4EF0 Relevance: 9.1, APIs: 6, Instructions: 54stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C4F1D
                                                  • Process32First.KERNEL32(?,00000128), ref: 001C4F36
                                                  • lstrcmpiA.KERNEL32(?,001C5C89), ref: 001C4F46
                                                  • lstrcmpiA.KERNEL32(?,001C5C89), ref: 001C4F6A
                                                  • Process32Next.KERNEL32(?,00000128), ref: 001C4F91
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 001C4FA1
                                                    • Part of subcall function 001CA090: OpenProcess.KERNEL32(00000001,00000000,001C4F80,?,?,001C4F80,?), ref: 001CA09C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process32lstrcmpi$ChangeCloseCreateFindFirstNextNotificationOpenProcessSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 1934148456-0
                                                  • Opcode ID: acbd73e6290b57d8f9958b4cd47a22f9da0cdffedf1ed56cadcd10dc7abfec9e
                                                  • Instruction ID: 213445335d27202c75b5a56c809aa2ad7e0735218b8f63d6065a57dd16f0445d
                                                  • Opcode Fuzzy Hash: acbd73e6290b57d8f9958b4cd47a22f9da0cdffedf1ed56cadcd10dc7abfec9e
                                                  • Instruction Fuzzy Hash: C21151B6900218ABDB20EB70DC86FDA777DAB2C700F00419CF64996142EB75DAA48F91
                                                  Function 00412F90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103injectionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,00000000,00000010,?), ref: 00412FD2
                                                  • WriteProcessMemory.KERNELBASE(?,00000000,?,00000020,?), ref: 0041301C
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000000,00000020), ref: 00413036
                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,00000004,00000020), ref: 00413053
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcess$Write$Read
                                                  • String ID:
                                                  • API String ID: 2454571318-3916222277
                                                  • Opcode ID: c5ea7faec2228af470a69961955c7189ee9097f64482b14bfcc67bca37c5a9ed
                                                  • Instruction ID: dbfd07e0d982764b1403be403738505719c4d4d89a7d9f8bb71497bfb83a2a3e
                                                  • Opcode Fuzzy Hash: c5ea7faec2228af470a69961955c7189ee9097f64482b14bfcc67bca37c5a9ed
                                                  • Instruction Fuzzy Hash: 4C3181B260050DAADB10DE99DC80EFFB7BCEB44751F104126E904A6248E775AF85C7A4
                                                  Function 00414470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 004144A7
                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 004144BD
                                                  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 004144F0
                                                  • CloseHandle.KERNEL32(?), ref: 0041451B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$CloseHandleMappingOpenView_snprintf
                                                  • String ID: %s_%d
                                                  • API String ID: 460513966-1933919280
                                                  • Opcode ID: 0643a76345e97aee8b111b0e6bff1ca11bdc986f074de29bd0d53c4609e30254
                                                  • Instruction ID: b4ec24585d023260bc254091ed9c7f6f742703c032d9373286420b3b03d66cca
                                                  • Opcode Fuzzy Hash: 0643a76345e97aee8b111b0e6bff1ca11bdc986f074de29bd0d53c4609e30254
                                                  • Instruction Fuzzy Hash: AC21D4B22507069BD332CF08DD89B72B3E9EB84304F84857DA74687685DB7CB860DB44
                                                  Function 001C83C0 Relevance: 7.6, APIs: 5, Instructions: 99stringregistryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001C8E00: RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?,?,000F003F), ref: 001C8E1B
                                                    • Part of subcall function 001C8CF0: GetProcessHeap.KERNEL32(?,?,001C83FC,?,?,000F003F), ref: 001C8D0B
                                                    • Part of subcall function 001C8E80: RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C8ED5
                                                  • lstrcpyA.KERNEL32(?,?,001C8200,?,?,?,000F003F), ref: 001C8426
                                                  • PathRemoveFileSpecA.SHLWAPI(?), ref: 001C8433
                                                  • PathFindFileNameA.SHLWAPI(?,00000000,?,000F003F), ref: 001C845A
                                                    • Part of subcall function 001C8E40: SHDeleteKeyA.SHLWAPI(?,001C8475,001C8475,?), ref: 001C8E53
                                                    • Part of subcall function 001C8FE0: RegFlushKey.ADVAPI32(?,001C847D,?), ref: 001C8FEF
                                                    • Part of subcall function 001C9010: RegCloseKey.KERNELBASE(?,?,000F003F), ref: 001C9040
                                                    • Part of subcall function 001C8DB0: RegCreateKeyExA.KERNELBASE(000F003F,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,000F003F), ref: 001C8DDC
                                                  • lstrlenA.KERNEL32(-00000105,?,?,000F003F,?), ref: 001C84B7
                                                  • RegSetValueExA.KERNELBASE(00000000,00000000,00000000,00000001,-00000105,-00000001), ref: 001C84DC
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FilePath$CloseCreateDeleteFindFlushHeapInfoNameOpenProcessQueryRemoveSpecValuelstrcpylstrlen
                                                  • String ID:
                                                  • API String ID: 3965768071-0
                                                  • Opcode ID: 76bccfbd4398dac629d5149b5f84425f838a1891f759bd4b8224eef938b285d8
                                                  • Instruction ID: 5f2d789332052c56f2e84b5f42d723dff94bc8cf7d6ff355c0f4c4fff244ef04
                                                  • Opcode Fuzzy Hash: 76bccfbd4398dac629d5149b5f84425f838a1891f759bd4b8224eef938b285d8
                                                  • Instruction Fuzzy Hash: 9E41BA75910108EBCB08EBA4C995FEDB779EF68300F50819DA506A7292DF30AF96DF50
                                                  Function 001C3FA0 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(?), ref: 001C401F
                                                  • UnregisterDeviceNotification.USER32(?), ref: 001C402F
                                                  • PostQuitMessage.USER32(00000000), ref: 001C4037
                                                  • DefWindowProcA.USER32(?,?,?,?), ref: 001C4051
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Window$DestroyDeviceMessageNotificationPostProcQuitUnregister
                                                  • String ID:
                                                  • API String ID: 1588911345-0
                                                  • Opcode ID: aedf000f0e4ba127b0754730900609d1b25021db432d9212b55c5e1a2ae1668b
                                                  • Instruction ID: e5f62d8616d9a60ab159315f7dbb2a4d287a1b0e8733457c24733fffab282918
                                                  • Opcode Fuzzy Hash: aedf000f0e4ba127b0754730900609d1b25021db432d9212b55c5e1a2ae1668b
                                                  • Instruction Fuzzy Hash: F021E43499A108FFC714CFA4E818EAE77B4FB28301F10891EFA1687650C731DA90EB51
                                                  Function 001C3F50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CLSIDFromString.OLE32({A5DCBF10-6530-11D2-901F-00C04FB951ED},?), ref: 001C3F81
                                                  • RegisterDeviceNotificationA.USER32(?,00000020,00000000), ref: 001C3F91
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: DeviceFromNotificationRegisterString
                                                  • String ID: ${A5DCBF10-6530-11D2-901F-00C04FB951ED}
                                                  • API String ID: 127757251-800553358
                                                  • Opcode ID: 5f71ffd3a89d45937f7412d72a5bf22c0322ac9fe3600beba2d3e57fe8c5c00c
                                                  • Instruction ID: a3062df8f4dc61381a95235451a17cb5d3110636bd1b28c31d3a1bed33307df3
                                                  • Opcode Fuzzy Hash: 5f71ffd3a89d45937f7412d72a5bf22c0322ac9fe3600beba2d3e57fe8c5c00c
                                                  • Instruction Fuzzy Hash: 6AF0F8B5C40208AFCB40CFE8D849BEEBBF8BB48300F108159E509E2240E77496408FA1
                                                  Function 00413F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,00414D5C), ref: 00414007
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: InfoNativeSystem
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 1721193555-192647395
                                                  • Opcode ID: 1eacd4d153507866a13c3458307923849ee2b4d4a21a4e7d9ef02c102b749aa0
                                                  • Instruction ID: 4c7958f7125965a8953240ff24fcd0e57d6260c1c6dce60c83ad1185982c957a
                                                  • Opcode Fuzzy Hash: 1eacd4d153507866a13c3458307923849ee2b4d4a21a4e7d9ef02c102b749aa0
                                                  • Instruction Fuzzy Hash: C501EDB4D083099ACB08EFAAA9412DE7BF4AB49705F10447FE008B2750D7385781CB5D
                                                  Function 001C8E80 Relevance: 3.1, APIs: 2, Instructions: 88registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001C8ED5
                                                  • RegEnumValueA.KERNELBASE(?,00000000,?,00000208,00000000,?,?,00000105), ref: 001C8F68
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: EnumInfoQueryValue
                                                  • String ID:
                                                  • API String ID: 918324718-0
                                                  • Opcode ID: 8fed0e6edbf23b51d1000dc0cc6d71922c47971e802b4bfe061ca32c84dba8ce
                                                  • Instruction ID: 3d4bf837cfcf59b94b8b4ed0c2907a92808d570d9a7e76e08ea49a29035863ef
                                                  • Opcode Fuzzy Hash: 8fed0e6edbf23b51d1000dc0cc6d71922c47971e802b4bfe061ca32c84dba8ce
                                                  • Instruction Fuzzy Hash: B531B37191022CABDB6ACF54CCC5BDAB7B9AB58704F1085DDE609A7240DB70ABC4CF90
                                                  Function 00413750 Relevance: 3.0, APIs: 2, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0041376B
                                                  • LdrGetProcedureAddress.NTDLL(?,?,00000000,?), ref: 004137AF
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressProcedure
                                                  • String ID:
                                                  • API String ID: 3653107232-0
                                                  • Opcode ID: d916fb3d09f505b5e870625196bcd88763eaf842b2ae23f8f29119995c41b669
                                                  • Instruction ID: 8a6d1ba6f2833d00f7118579034e2f006cc9ebe861673506762bbdbe54c94590
                                                  • Opcode Fuzzy Hash: d916fb3d09f505b5e870625196bcd88763eaf842b2ae23f8f29119995c41b669
                                                  • Instruction Fuzzy Hash: 8C019275200209AFDB04CF68D855FEA77A9EF48351F04C159FC05CB150EA30D68487A4
                                                  Function 00413920 Relevance: 3.0, APIs: 2, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00413962
                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00413980
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: String$AnsiLoadUnicode
                                                  • String ID:
                                                  • API String ID: 4066666101-0
                                                  • Opcode ID: 8f38a61f1daf54c07d1ac47af60bd206603c507140edf79a598b100c461e184f
                                                  • Instruction ID: ff40f9fa86e28ce77c8c1fdf6c57ae152ff0ebc97516a9b12a557b6d52699271
                                                  • Opcode Fuzzy Hash: 8f38a61f1daf54c07d1ac47af60bd206603c507140edf79a598b100c461e184f
                                                  • Instruction Fuzzy Hash: C70184B5A0020CABDB04CFA5DC45BDEB774AF54304F008169E904D7250F6709744C795
                                                  Function 001C8DB0 Relevance: 1.5, APIs: 1, Instructions: 29registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.KERNELBASE(000F003F,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,000F003F), ref: 001C8DDC
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 6475c2b35c80e7495a99fe4dc90b1b91d20bc5978c7a0cb6433490fcb5e870e2
                                                  • Instruction ID: f0fabe6b80d478a15d34a28b72b1abcd9a67b3efb35dec25c5cc01da7a4ed368
                                                  • Opcode Fuzzy Hash: 6475c2b35c80e7495a99fe4dc90b1b91d20bc5978c7a0cb6433490fcb5e870e2
                                                  • Instruction Fuzzy Hash: D1F01C75A40208BFDB04CF98CC45FAE7BB8EB58700F10815DF6059B2C0D671AA94DB94
                                                  Function 001C9010 Relevance: 1.5, APIs: 1, Instructions: 27registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCloseKey.KERNELBASE(?,?,000F003F), ref: 001C9040
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 41f08b958a381cc51525fcc782137c93b7355aef21f19341b5a2922bdab2185b
                                                  • Instruction ID: 40874833c9df9486de0376bd3d300dd93167a7d4c3db94deea611a556f2cec74
                                                  • Opcode Fuzzy Hash: 41f08b958a381cc51525fcc782137c93b7355aef21f19341b5a2922bdab2185b
                                                  • Instruction Fuzzy Hash: 83F0F834A04208EBC704DB94D588FAD7BB9FB5A310F6040ADE80597750D771EDD19B55
                                                  Function 001C8E00 Relevance: 1.5, APIs: 1, Instructions: 23registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?,?,000F003F), ref: 001C8E1B
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: b8fd11e3470d88cb25f220deab3a244a76483de54fe7f5f28966e9f39ee3980f
                                                  • Instruction ID: ce19a7c905a9db13885ca84f80c5045dddd54fd6da0cea3a79ccebddf778c481
                                                  • Opcode Fuzzy Hash: b8fd11e3470d88cb25f220deab3a244a76483de54fe7f5f28966e9f39ee3980f
                                                  • Instruction Fuzzy Hash: 7AE01A75A04208FFCB00DFA8D945FAEBBB8AB18701F10815DF904D7240D670DE908B90
                                                  Function 001C8E40 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHDeleteKeyA.SHLWAPI(?,001C8475,001C8475,?), ref: 001C8E53
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Delete
                                                  • String ID:
                                                  • API String ID: 1035893169-0
                                                  • Opcode ID: 5c14894ae0301253d783c5de14a8abb5ce0e8011c71cab4da98a2c6314561889
                                                  • Instruction ID: 0088aa276d47b76e5a75ea339b97f0cccaf618326ed9cc34c3b4ac65c462516a
                                                  • Opcode Fuzzy Hash: 5c14894ae0301253d783c5de14a8abb5ce0e8011c71cab4da98a2c6314561889
                                                  • Instruction Fuzzy Hash: 5EE0EC74A0420CEFC700EFE8D884B9DBBB8AB59705F1081AAE905D7340D635DA90DB91
                                                  Function 001C7D90 Relevance: 1.5, APIs: 1, Instructions: 18libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: b3b76d5357311bca55c486516e864a8895c4be697efe5c753cd53130e212a790
                                                  • Instruction ID: 2761d030bfc44fde3a837ecd35bb3ce8594b2d445ef58d5fe790fe4404d94c43
                                                  • Opcode Fuzzy Hash: b3b76d5357311bca55c486516e864a8895c4be697efe5c753cd53130e212a790
                                                  • Instruction Fuzzy Hash: 23E046B4904208FBCB04CF88E944FAABBB6EB05304F200098E80253680C772EE52EF90

                                                  Non-executed Functions

                                                  Function 001C7020 Relevance: 213.9, APIs: 68, Strings: 54, Instructions: 435libraryloadersynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001C7030
                                                  • SetLastError.KERNEL32(00000000), ref: 001C7066
                                                  • CreateMutexA.KERNEL32(00000000,00000000,SSLOADasdasc000900), ref: 001C7075
                                                  • GetLastError.KERNEL32 ref: 001C707B
                                                  • ExitThread.KERNEL32 ref: 001C708A
                                                  • GetProcAddress.KERNEL32(?,CloseHandle), ref: 001C70F2
                                                  • GetProcAddress.KERNEL32(?,CreateFileA), ref: 001C710A
                                                  • GetProcAddress.KERNEL32(?,DeleteFileA), ref: 001C7122
                                                  • GetProcAddress.KERNEL32(?,ExitProcess), ref: 001C713A
                                                  • GetProcAddress.KERNEL32(?,GetFileSize), ref: 001C7152
                                                  • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 001C716A
                                                  • GetProcAddress.KERNEL32(?,GetSystemTime), ref: 001C7182
                                                  • GetProcAddress.KERNEL32(?,GetTempPathA), ref: 001C719A
                                                  • GetProcAddress.KERNEL32(?,LoadLibraryA), ref: 001C71B2
                                                  • GetProcAddress.KERNEL32(?,lstrcatA), ref: 001C71CA
                                                  • GetProcAddress.KERNEL32(?,lstrlenA), ref: 001C71E2
                                                  • GetProcAddress.KERNEL32(?,ReadFile), ref: 001C71FA
                                                  • GetProcAddress.KERNEL32(?,SetFileAttributesA), ref: 001C7212
                                                  • GetProcAddress.KERNEL32(?,WinExec), ref: 001C722A
                                                  • GetProcAddress.KERNEL32(?,WriteFile), ref: 001C7242
                                                  • GetProcAddress.KERNEL32(?,Sleep), ref: 001C725A
                                                  Strings
                                                  • SSLOADasdasc000900, xrefs: 001C706C
                                                  • GetFileSize, xrefs: 001C7146
                                                  • GetTempPathA, xrefs: 001C718E
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]4>@6?]CF^K<>4w|]8:7, xrefs: 001C754B
                                                  • %, xrefs: 001C75BA
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]H:A>2?:2]CF^{<HpIs]8:7, xrefs: 001C7503
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]D6=7>8]CF^2A:]8:7, xrefs: 001C74DF
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]DE4FD]CF^2A$!9G]8:7, xrefs: 001C7539
                                                  • c731200, xrefs: 001C7419
                                                  • urlmon.dll, xrefs: 001C72F0
                                                  • c731200, xrefs: 001C72A8
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]=@EJD]CF^Gy@yp:]8:7, xrefs: 001C7515
                                                  • CreateFileA, xrefs: 001C70FE
                                                  • InternetCheckConnectionA, xrefs: 001C7338
                                                  • lstrlenA, xrefs: 001C71D6
                                                  • 9EEAi^^2A:`]H:A>2?:2]4@>]H:A>D4]CF^2A:`]8:7, xrefs: 001C742B
                                                  • 9EEAi^^2A:c]H:A>2?:2]4@>]H:A>D4]CF^2A:c]8:7, xrefs: 001C7461
                                                  • DeleteFileA, xrefs: 001C7116
                                                  • URLDownloadToFileA, xrefs: 001C7314
                                                  • user32.dll, xrefs: 001C72DE
                                                  • 9EEAi^^2A:h]H:A>2?:2]4@>]H:A>D4]CF^2A:h]8:7, xrefs: 001C74BB
                                                  • 9EEAi^^2A:b]H:A>2?:2]4@>]H:A>D4]CF^2A:b]8:7, xrefs: 001C744F
                                                  • 9EEAi^^2A:d]H:A>2?:2]4@>]H:A>D4]CF^2A:d]8:7, xrefs: 001C7473
                                                  • \calc.exe, xrefs: 001C75D6
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]=@EFDd]CF^2A:]8:7, xrefs: 001C74F1
                                                  • wsprintfA, xrefs: 001C7302
                                                  • Sleep, xrefs: 001C724E
                                                  • SetFileAttributesA, xrefs: 001C7206
                                                  • GetLastError, xrefs: 001C7266
                                                  • wininet.dll, xrefs: 001C7326
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]2CE34@?b]CF^7C7{6r]8:7, xrefs: 001C755D
                                                  • abcdefghijklmnopqrstuvwxyz0123456789, xrefs: 001C704B
                                                  • .exe, xrefs: 001C73E7
                                                  • 9EEAi^^FA52E6]H:A>2?:2]4@>]C2F=9@DE]CF^=@8@]8:7, xrefs: 001C7581
                                                  • D, xrefs: 001C70C9
                                                  • 9EEAi^^2A:g]H:A>2?:2]4@>]H:A>D4]CF^2A:g]8:7, xrefs: 001C74A9
                                                  • CloseHandle, xrefs: 001C70E6
                                                  • 9EEAi^^2A:a]H:A>2?:2]4@>]H:A>D4]CF^2A:a]8:7, xrefs: 001C743D
                                                  • CreateMutexA, xrefs: 001C727E
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]J6=@E@]CF^KHu|Hs]8:7, xrefs: 001C756F
                                                  • WriteFile, xrefs: 001C7236
                                                  • LoadLibraryA, xrefs: 001C71A6
                                                  • 9EEAi^^2A:f]H:A>2?:2]4@>]H:A>D4]CF^2A:f]8:7, xrefs: 001C7497
                                                  • ExitProcess, xrefs: 001C712E
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]7@H5]CF^2A:]8:7, xrefs: 001C74CD
                                                  • lstrcatA, xrefs: 001C71BE
                                                  • WinExec, xrefs: 001C721E
                                                  • 9EEAi^^2A:]H:A>2?:2]4@>]3H2ED]CF^~7;%|6]8:7, xrefs: 001C7527
                                                  • ReadFile, xrefs: 001C71EE
                                                  • GetProcAddress, xrefs: 001C715E
                                                  • kernel32.dll, xrefs: 001C702B
                                                  • http://www.google.com, xrefs: 001C734A
                                                  • 9EEAi^^2A:e]H:A>2?:2]4@>]H:A>D4]CF^2A:e]8:7, xrefs: 001C7485
                                                  • GetSystemTime, xrefs: 001C7176
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$ErrorLast$CreateExitHandleModuleMutexThread
                                                  • String ID: %$.exe$9EEAi^^2A:]H:A>2?:2]4@>]2CE34@?b]CF^7C7{6r]8:7$9EEAi^^2A:]H:A>2?:2]4@>]3H2ED]CF^~7;%|6]8:7$9EEAi^^2A:]H:A>2?:2]4@>]4>@6?]CF^K<>4w|]8:7$9EEAi^^2A:]H:A>2?:2]4@>]7@H5]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]=@EFDd]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]=@EJD]CF^Gy@yp:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]D6=7>8]CF^2A:]8:7$9EEAi^^2A:]H:A>2?:2]4@>]DE4FD]CF^2A$!9G]8:7$9EEAi^^2A:]H:A>2?:2]4@>]H:A>2?:2]CF^{<HpIs]8:7$9EEAi^^2A:]H:A>2?:2]4@>]J6=@E@]CF^KHu|Hs]8:7$9EEAi^^2A:`]H:A>2?:2]4@>]H:A>D4]CF^2A:`]8:7$9EEAi^^2A:a]H:A>2?:2]4@>]H:A>D4]CF^2A:a]8:7$9EEAi^^2A:b]H:A>2?:2]4@>]H:A>D4]CF^2A:b]8:7$9EEAi^^2A:c]H:A>2?:2]4@>]H:A>D4]CF^2A:c]8:7$9EEAi^^2A:d]H:A>2?:2]4@>]H:A>D4]CF^2A:d]8:7$9EEAi^^2A:e]H:A>2?:2]4@>]H:A>D4]CF^2A:e]8:7$9EEAi^^2A:f]H:A>2?:2]4@>]H:A>D4]CF^2A:f]8:7$9EEAi^^2A:g]H:A>2?:2]4@>]H:A>D4]CF^2A:g]8:7$9EEAi^^2A:h]H:A>2?:2]4@>]H:A>D4]CF^2A:h]8:7$9EEAi^^FA52E6]H:A>2?:2]4@>]C2F=9@DE]CF^=@8@]8:7$CloseHandle$CreateFileA$CreateMutexA$D$DeleteFileA$ExitProcess$GetFileSize$GetLastError$GetProcAddress$GetSystemTime$GetTempPathA$InternetCheckConnectionA$LoadLibraryA$ReadFile$SSLOADasdasc000900$SetFileAttributesA$Sleep$URLDownloadToFileA$WinExec$WriteFile$\calc.exe$abcdefghijklmnopqrstuvwxyz0123456789$c731200$c731200$http://www.google.com$kernel32.dll$lstrcatA$lstrlenA$urlmon.dll$user32.dll$wininet.dll$wsprintfA
                                                  • API String ID: 62013889-2070274522
                                                  • Opcode ID: 3dc4317ba2276079b051ada437659bf4a9f5dc3d310ac77a64fb6cf12ebc0039
                                                  • Instruction ID: 010b143821370481faed5f437c402e2926c269bfafbcedf1afd59f031277c5ba
                                                  • Opcode Fuzzy Hash: 3dc4317ba2276079b051ada437659bf4a9f5dc3d310ac77a64fb6cf12ebc0039
                                                  • Instruction Fuzzy Hash: FD026E71A80318BFDB20DBB0DC49FED7B74AB1A701F444598F609A6682D7B9DA84CF50
                                                  Function 001C4FB0 Relevance: 96.5, APIs: 36, Strings: 19, Instructions: 246libraryloadersynchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,001C7020,00000000,00000000,00000000), ref: 001C4FC8
                                                  • GetModuleFileNameW.KERNEL32(00000000,001D1418,00000207), ref: 001C4FF4
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 001C5004
                                                  • GetProcAddress.KERNEL32(00000000), ref: 001C500B
                                                  • GetCommandLineA.KERNEL32(-aav_start), ref: 001C501B
                                                  • StrStrA.SHLWAPI(00000000), ref: 001C5022
                                                  • GetCommandLineA.KERNEL32(-shell), ref: 001C503B
                                                  • StrStrA.SHLWAPI(00000000), ref: 001C5042
                                                  • SetLastError.KERNEL32(00000000), ref: 001C5052
                                                  • CreateMutexA.KERNEL32(00000000,00000000,Windows_Shared_Mutex_231_c000900), ref: 001C5061
                                                  • GetLastError.KERNEL32 ref: 001C506C
                                                  • ExitProcess.KERNEL32 ref: 001C507B
                                                  • ExitProcess.KERNEL32 ref: 001C538D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CommandCreateErrorExitLastLineModuleProcess$AddressFileHandleMutexNameProcThread
                                                  • String ID: %$-aav_start$-shell$CFlagc000900$CreateMutexA$CreateProcessW$D$ExitProcess$GetLastError$GetProcessVersion$IsWow64Process$SVCHOST_MUTEX_OBJECT_RELEASED_c000900$SetLastError$Sleep$Windows_Shared_Mutex_231_c000900$\mspaint.exe$\svchost.exe$kernel32.dll$kernel32.dll
                                                  • API String ID: 395199812-1192088189
                                                  • Opcode ID: be9ea51949214171df5f05d3f76a38b1f6fc8703b8cb894000b0ccf6bc1e8a91
                                                  • Instruction ID: 922707f73b30f67e8863073708d6f824e0f31048fe11e7a935e55090fb04bd58
                                                  • Opcode Fuzzy Hash: be9ea51949214171df5f05d3f76a38b1f6fc8703b8cb894000b0ccf6bc1e8a91
                                                  • Instruction Fuzzy Hash: 59A162B5AC0304BFE7109BA0EC4AFA93B75AB25B01F044059F709A66D2DBB4E6D0CF55
                                                  Function 0041B480 Relevance: 66.9, APIs: 28, Strings: 10, Instructions: 363memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041B4A2
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417401
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417419
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 00417431
                                                    • Part of subcall function 004173E0: _snprintf.MSVCRT ref: 00417449
                                                    • Part of subcall function 004173E0: _vsnprintf.MSVCRT ref: 0041746B
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 0041747A
                                                  • lstrcpyA.KERNEL32(?,00421335), ref: 0041B51A
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B536
                                                  • GetVersionExA.KERNEL32(?), ref: 0041B550
                                                  • lstrcpyA.KERNEL32(?,ERR), ref: 0041B5F5
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B60D
                                                  • strstr.MSVCRT ref: 0041B641
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041B650
                                                  • lstrlenA.KERNEL32(-00000004), ref: 0041B65F
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0041B67D
                                                  • lstrcmpA.KERNEL32(-00000004,00422BE4), ref: 0041B6A8
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0041B6C5
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0041B719
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B74A
                                                    • Part of subcall function 00411BA0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00411BC5
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B75B
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B76E
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104), ref: 0041B781
                                                  • _snprintf.MSVCRT ref: 0041B796
                                                  • _snprintf.MSVCRT ref: 0041B7AB
                                                  • lstrcpyA.KERNEL32(?,00422C0C), ref: 0041B7CD
                                                  • _snprintf.MSVCRT ref: 0041B7FC
                                                  • _snprintf.MSVCRT ref: 0041B863
                                                  • _snprintf.MSVCRT ref: 0041B878
                                                  • lstrcpyA.KERNEL32(?,00422C0C), ref: 0041B89A
                                                  • _snprintf.MSVCRT ref: 0041B8C9
                                                  • _snprintf.MSVCRT ref: 0041B8E0
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041B8F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                  • String ID: 2K3$2K8$<br>$ERR$VIS$_%s_%s%s_%s$admin$http://api.wipmania.com/$isadmin$n%s_%s_%s%s_%s
                                                  • API String ID: 124843797-4052524521
                                                  • Opcode ID: 09e09c1d0e3d9c6c639646f3d559e32cc4c9b90c302f6e2cbfa01bda2730830d
                                                  • Instruction ID: 60687fb280eb161fb720db85fc3ca8fd8a4dc05ce5e746f568f1ef80c8748dae
                                                  • Opcode Fuzzy Hash: 09e09c1d0e3d9c6c639646f3d559e32cc4c9b90c302f6e2cbfa01bda2730830d
                                                  • Instruction Fuzzy Hash: C4C1C7B0740305BBD720DF51DC81FAB73B9FB54B09F50491EF242A6280D7B8E9858BA9
                                                  Function 00411EA0 Relevance: 37.7, APIs: 25, Instructions: 195fileencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00411ECD
                                                  • GetLastError.KERNEL32 ref: 00411EDA
                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 00411EF5
                                                  • GetLastError.KERNEL32 ref: 00411EFF
                                                  • CloseHandle.KERNEL32(00000000), ref: 00411F06
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                  • String ID:
                                                  • API String ID: 2213256293-0
                                                  • Opcode ID: 05a482b3233881056cb7508851cd64aca90e771f3b664c58d7c2551492d1093d
                                                  • Instruction ID: bb730b84311c4d90620bec6f7132bf7e58141127e47a2f1da77b54b69ca3ab6f
                                                  • Opcode Fuzzy Hash: 05a482b3233881056cb7508851cd64aca90e771f3b664c58d7c2551492d1093d
                                                  • Instruction Fuzzy Hash: EF51A176700108AFDB209BE4EC88AFFB77CFB5C355F5045AAFA05D2260D73589528B68
                                                  Function 001C4D90 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 88stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetEnvironmentVariableA.KERNEL32(HOMEDRIVE,?,00000103), ref: 001C4DB4
                                                  • lstrcatA.KERNEL32(?,\Program Files\), ref: 001C4DC6
                                                  • lstrcatA.KERNEL32(?,?), ref: 001C4DD7
                                                  • lstrcatA.KERNEL32(?,001C18A8), ref: 001C4DE9
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C4DFD
                                                  • lstrcatA.KERNEL32(?,001C18AC), ref: 001C4E0F
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 001C4E23
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C4E55
                                                  • lstrcatA.KERNEL32(?,?), ref: 001C4E69
                                                  • StrStrA.SHLWAPI(?,00000000), ref: 001C4E7C
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C4E94
                                                    • Part of subcall function 001C4CE0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C4D0F
                                                    • Part of subcall function 001C4CE0: GetTickCount.KERNEL32 ref: 001C4D6D
                                                  • lstrcatA.KERNEL32(?,00000000), ref: 001C4EA7
                                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001C4EBD
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 001C4ED1
                                                  • FindClose.KERNEL32(000000FF), ref: 001C4EE6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$FileFindlstrcpy$CloseCountEnvironmentFirstInformationMoveNextTickVariableVolume
                                                  • String ID: HOMEDRIVE$\Program Files\
                                                  • API String ID: 3772047255-45981873
                                                  • Opcode ID: 08fbb3350bf280f8af0a9082f6d26dfe49e801abb88a89870b1a061c8451ab56
                                                  • Instruction ID: de64016cd465c71fe62aeb13dd6d9077da9c64c359254e13d0fbe3976c6e47d9
                                                  • Opcode Fuzzy Hash: 08fbb3350bf280f8af0a9082f6d26dfe49e801abb88a89870b1a061c8451ab56
                                                  • Instruction Fuzzy Hash: 3B31197698021CABCB21DBB0DC48FDA7B7CBB19701F444A89A20A92451DB78DBC5CF90
                                                  Function 004153D0 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 258nativeinjectionmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 004153E7
                                                  • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 0041540E
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000400,00000000), ref: 0041542F
                                                  • CloseHandle.KERNEL32(00000000), ref: 004156C0
                                                    • Part of subcall function 00414900: WaitForSingleObject.KERNEL32(00417495,000000FF,?,00000000,771B0440,?,00417495), ref: 00414939
                                                    • Part of subcall function 00414900: ReleaseMutex.KERNEL32(?,?,00417495), ref: 0041497C
                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 004154AB
                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0041552F
                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,?), ref: 0041554E
                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 00415573
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 004155A0
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 004155C4
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 004155EC
                                                  • ReadProcessMemory.KERNEL32(00000000,?,004489B0,00000005,?), ref: 00415618
                                                    • Part of subcall function 00414160: VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040,00000000,?,?,?), ref: 00414192
                                                    • Part of subcall function 00414160: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?), ref: 0041424F
                                                  • WriteProcessMemory.KERNEL32(00000000,?,?,00000005,?), ref: 004156B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$Memory$Read$InformationQueryWrite$AllocVirtual$CloseCompareExchangeHandleInterlockedMutexObjectOpenReleaseSingleThreadWait
                                                  • String ID: STFU$zD$zD
                                                  • API String ID: 992379172-1520837193
                                                  • Opcode ID: d47957bfbcda124510e4626b7c54e4d01d410469e483709718448506b65b4997
                                                  • Instruction ID: 34b34e1221b6f138a1c42a0a33de9d307ce490d19935b41a28225bc2f00861a1
                                                  • Opcode Fuzzy Hash: d47957bfbcda124510e4626b7c54e4d01d410469e483709718448506b65b4997
                                                  • Instruction Fuzzy Hash: 7D9161B1A01609EBDB10DF94CC81FEF7778EB94704F50416AF505AB250E7789E81CBA9
                                                  Function 0041F130 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041F150
                                                  • memset.MSVCRT ref: 0041F168
                                                  • lstrcpyA.KERNEL32(?,?), ref: 0041F17B
                                                    • Part of subcall function 0041EDF0: memset.MSVCRT ref: 0041EE0E
                                                    • Part of subcall function 0041EDF0: vsprintf.MSVCRT ref: 0041EE22
                                                    • Part of subcall function 0041EDF0: PathAppendA.SHLWAPI(?,00000000), ref: 0041EE35
                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 0041F196
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0041F1AA
                                                  • CoInitialize.OLE32(00000000), ref: 0041F1C2
                                                  • _snprintf.MSVCRT ref: 0041F1E1
                                                  • FindNextFileA.KERNEL32(?,?), ref: 0041F20C
                                                  • strncmp.MSVCRT(?,00422FC0,00000008), ref: 0041F22E
                                                  • strstr.MSVCRT ref: 0041F246
                                                  • _snprintf.MSVCRT ref: 0041F26B
                                                  • FindNextFileA.KERNEL32(?,?), ref: 0041F290
                                                  • FindClose.KERNEL32(?), ref: 0041F29E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Find$Filememset$Next_snprintf$AppendCloseCurrentDirectoryFirstInitializePathlstrcpystrncmpstrstrvsprintf
                                                  • String ID: %s%s
                                                  • API String ID: 3870971729-3252725368
                                                  • Opcode ID: f7f9779f9594897ecfcdc2df61900fe7f9dcb8bd26eb54bde771fc055ec4c13d
                                                  • Instruction ID: 080bed8281bf5745de28d4804f4dd351e0d0e4112c74dc419c04bcf92b4b66d5
                                                  • Opcode Fuzzy Hash: f7f9779f9594897ecfcdc2df61900fe7f9dcb8bd26eb54bde771fc055ec4c13d
                                                  • Instruction Fuzzy Hash: 5741C575A4021CBBCB20DB61EC85FEB737CEF54304F4045AAB90892141E674AFC6CB64
                                                  Function 001C53A0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 137injectionthreadprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCommandLineW.KERNEL32(00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 001C53E9
                                                  • CreateProcessW.KERNEL32(?,00000000), ref: 001C53F4
                                                  • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 001C541F
                                                  • GetProcAddress.KERNEL32(00000000), ref: 001C5426
                                                  • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 001C546A
                                                  • WriteProcessMemory.KERNEL32(?,?,001C5388,?,00000000), ref: 001C5491
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000), ref: 001C54FE
                                                  • GetThreadContext.KERNEL32(?,00010007), ref: 001C551E
                                                  • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 001C5543
                                                  • SetThreadContext.KERNEL32(?,00010007), ref: 001C556F
                                                  • ResumeThread.KERNEL32(?), ref: 001C557C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$MemoryThreadWrite$Context$AddressAllocCommandCreateHandleLineModuleProcResumeVirtual
                                                  • String ID: NtUnmapViewOfSection$ntdll.dll
                                                  • API String ID: 195969970-1050664331
                                                  • Opcode ID: 2bd3ac04132a7aff9636802a7669f852e96f262615158c23cfa9b36fd16d7071
                                                  • Instruction ID: da2778291b4eeef5da2dda231fd6b1a7af0051920f55d063d581aa928972cafe
                                                  • Opcode Fuzzy Hash: 2bd3ac04132a7aff9636802a7669f852e96f262615158c23cfa9b36fd16d7071
                                                  • Instruction Fuzzy Hash: E8511775A81258ABCB54CB94CC99F9DB779BB48304F10818AFA09A7391DB30EAC1CF54
                                                  Function 00418270 Relevance: 19.8, APIs: 13, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00418292
                                                  • GetTickCount.KERNEL32 ref: 004182A8
                                                    • Part of subcall function 004181C0: WSAStartup.WS2_32(00000202,?), ref: 004181E3
                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00418314
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Startupselect
                                                  • String ID:
                                                  • API String ID: 3882035529-0
                                                  • Opcode ID: 0c3efe1465827eff41c7fff811aed34e63c844a4f47968fd129c2ea30210f328
                                                  • Instruction ID: 35029b1ea872dd866a4127ed940a93610ccc6c7b265f756c0a07624e55c45a9d
                                                  • Opcode Fuzzy Hash: 0c3efe1465827eff41c7fff811aed34e63c844a4f47968fd129c2ea30210f328
                                                  • Instruction Fuzzy Hash: 9CA1D6B1900604ABC734DF69D881AEBB3F9EF44314F00451FE69D87241EB78A9C18BA9
                                                  Function 001C3820 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 90stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcatA.KERNEL32(001C3B0B,001C1428), ref: 001C3832
                                                  • FindFirstFileA.KERNEL32(001C3B0B,?), ref: 001C3843
                                                  • StrRChrA.SHLWAPI(001C3B0B,00000000,0000005C), ref: 001C386E
                                                  • lstrcpynA.KERNEL32(?,001C3B0B,001C3B09), ref: 001C38A2
                                                  • lstrcatA.KERNEL32(?,?), ref: 001C38B6
                                                  • StrStrIA.SHLWAPI(?,.exe), ref: 001C38E5
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C3902
                                                  • lstrlenA.KERNEL32(?), ref: 001C3921
                                                  • FindNextFileA.KERNEL32(?,?), ref: 001C3953
                                                  • FindClose.KERNEL32(?), ref: 001C3968
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Find$Filelstrcat$CloseFirstNextlstrcpylstrcpynlstrlen
                                                  • String ID: .exe
                                                  • API String ID: 1387831469-4119554291
                                                  • Opcode ID: 66e7f887ac2828b409e110c24c5fd37de0cbb1018850288faa123798eb914953
                                                  • Instruction ID: 1dfa41319870ba556a2b5cac5303017a67d5482ee705edfcbda45ed242383b26
                                                  • Opcode Fuzzy Hash: 66e7f887ac2828b409e110c24c5fd37de0cbb1018850288faa123798eb914953
                                                  • Instruction Fuzzy Hash: 3F318DB5801608ABCB15CFB0EC88FEE7B79BB49701F048689E60696651D774EAC4CF50
                                                  Function 0041E880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041E8A0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0041E8AD
                                                  • _snprintf.MSVCRT ref: 0041E8D0
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0041E8FF
                                                  • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0041E913
                                                  • GetLastError.KERNEL32 ref: 0041E91D
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D7A0,00000000,00000000,00000000), ref: 0041E941
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041E94B
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0041E96E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                  • String ID: 30e4*ga1$\\.\pipe\%08x_ipc
                                                  • API String ID: 4065143564-3576121390
                                                  • Opcode ID: 2d885a535947a38c168036adc011ee3e61d28c026dc82605df64d5d2a98fddcf
                                                  • Instruction ID: 17844d5bce36e40c14630f7015147ef6897221eff920d0115dc9350fce52dc65
                                                  • Opcode Fuzzy Hash: 2d885a535947a38c168036adc011ee3e61d28c026dc82605df64d5d2a98fddcf
                                                  • Instruction Fuzzy Hash: 022138B57C03247AF33063659C47FB676589B14F10FA04675FB05F91D0DAF4694146AC
                                                  Function 00415820 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 171nativesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00415844
                                                  • CloseHandle.KERNEL32(00000000), ref: 004158B9
                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 004158CF
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,00000000,00000800,00000000), ref: 004158FC
                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 00415970
                                                  • CloseHandle.KERNEL32(00000000), ref: 00415A05
                                                    • Part of subcall function 004149F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,004173CC,00447C98,00000000,00000000,00000010,00000000), ref: 00414A10
                                                    • Part of subcall function 004149F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00414A77
                                                  • Sleep.KERNEL32(00000001), ref: 004159F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseHandleInformationProcessQuery$CompareExchangeInterlockedMutexObjectReleaseSingleSleepWaitmemset
                                                  • String ID: (mB$.`A$STFU
                                                  • API String ID: 1902471319-601535280
                                                  • Opcode ID: cf256d12c24fd14a7c7bbe8d61a9582179edadd6e1a83f737b56d15c78f676c2
                                                  • Instruction ID: 32b3e4ab2933d1e2dbe69b4795181dd62fd953d9c82507b1d9bb727399d7f1f2
                                                  • Opcode Fuzzy Hash: cf256d12c24fd14a7c7bbe8d61a9582179edadd6e1a83f737b56d15c78f676c2
                                                  • Instruction Fuzzy Hash: EE51B5B0A40215EBD720DFA9CC45BEE77B8EF84710F14816AF945E7280DB789E81CB94
                                                  Function 00419D90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 00419DA7
                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,20000080,00000000), ref: 00419DD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AllocCreateFileVirtual
                                                  • String ID: \\.\PHYSICALDRIVE0
                                                  • API String ID: 1475775534-1557481562
                                                  • Opcode ID: 82ff8d4220ac9e67c6ea7fc0749045c7396fb8b2af552e914961f1a28fa0d3b1
                                                  • Instruction ID: 3e9bcf01b1975e6179d55bdeb443b86fe0de1dbf18d282b62db5f83ae06007a2
                                                  • Opcode Fuzzy Hash: 82ff8d4220ac9e67c6ea7fc0749045c7396fb8b2af552e914961f1a28fa0d3b1
                                                  • Instruction Fuzzy Hash: A731B87278030876F63056A9AC46FEB775CD784B32F200262FB09EA1D0DAA06D4586B8
                                                  Function 001C3980 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 114stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001CA860: GetCurrentProcess.KERNEL32(00000000), ref: 001CA878
                                                  • SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 001C39DD
                                                  • lstrcatA.KERNEL32(?,001C1434), ref: 001C39EF
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 001C3A37
                                                  • lstrlenA.KERNEL32(?,00000008), ref: 001C3A6B
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C3AA3
                                                  • lstrcpynA.KERNEL32(?,?,?), ref: 001C3AE5
                                                  • lstrcatA.KERNEL32(?,?), ref: 001C3AF9
                                                  • FindNextFileA.KERNEL32(?,?), ref: 001C3B26
                                                  • FindClose.KERNEL32(?), ref: 001C3B3B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Find$Filelstrcat$CloseCurrentFirstFolderNextPathProcesslstrcpynlstrlen
                                                  • String ID: &
                                                  • API String ID: 512788524-1010288
                                                  • Opcode ID: f40b1a6be6ce2c997891d12ad4ca57df024fe7a498c04ea84e85d6bf68077a29
                                                  • Instruction ID: 21eb6e1bf903cec5a628a3d55c5ec93b7d8a1b550f08bfd863fbce441f590bf0
                                                  • Opcode Fuzzy Hash: f40b1a6be6ce2c997891d12ad4ca57df024fe7a498c04ea84e85d6bf68077a29
                                                  • Instruction Fuzzy Hash: 3B419FB5940218BBDB25DB60DC89FDA7778BB29704F0481C8E219A6181EBB5DBC4CF90
                                                  Function 00419EC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00419EDF
                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 00419F16
                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 00419F45
                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 00419F5A
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 00419F74
                                                  • CloseHandle.KERNEL32(00000000), ref: 00419F77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ControlDeviceFile$CloseCreateHandleWritememset
                                                  • String ID: 00100$U$\\.\PHYSICALDRIVE0
                                                  • API String ID: 3939175881-3482488017
                                                  • Opcode ID: 4cd35f72f61a5ace90158be6f12a23a51319c9b44d70ad1de27ec0f39f59b2d8
                                                  • Instruction ID: 01f1022f991329a785ac6ac1e292d44fd73263958539fc308627e3bff65868a1
                                                  • Opcode Fuzzy Hash: 4cd35f72f61a5ace90158be6f12a23a51319c9b44d70ad1de27ec0f39f59b2d8
                                                  • Instruction Fuzzy Hash: EC11B231BC03187AF730A6A49C0BFEA766C8B59B11F600295F714BA1D19AE42A4587AD
                                                  Function 001CB540 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 49registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000002,00000000), ref: 001CB55F
                                                  • RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000004,00000000,00000004), ref: 001CB585
                                                  • RegSetValueExA.ADVAPI32(00000000,ConsentPromptBehaviorUser,00000000,00000004,00000001,00000004), ref: 001CB5A5
                                                  • RegSetValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000004,00000000,00000004), ref: 001CB5C5
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CB5CF
                                                  Strings
                                                  • ConsentPromptBehaviorUser, xrefs: 001CB59C
                                                  • ConsentPromptBehaviorAdmin, xrefs: 001CB57C
                                                  • EnableLUA, xrefs: 001CB5BC
                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 001CB555
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseOpen
                                                  • String ID: ConsentPromptBehaviorAdmin$ConsentPromptBehaviorUser$EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                  • API String ID: 3241186055-378030391
                                                  • Opcode ID: 8135f2dbf1c60e4e268578f24053d20ad09fac2911f241d4947fbda6c8345e1c
                                                  • Instruction ID: 6f5f902e16c9e3e24c7c0282193db65b9f0e025cefdccc803e7a047409c933cb
                                                  • Opcode Fuzzy Hash: 8135f2dbf1c60e4e268578f24053d20ad09fac2911f241d4947fbda6c8345e1c
                                                  • Instruction Fuzzy Hash: DC11EDB5A80308FBEB20DBD0DD4AF9D7B78AB04B05F604548F701BA1D1C7B4AA94DB65
                                                  Function 001C5D90 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69processfilestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(*.*,?), ref: 001C5DA9
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C5DE9
                                                  • Process32First.KERNEL32(?,00000128), ref: 001C5E02
                                                  • lstrcmpiA.KERNEL32(?,?), ref: 001C5E15
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: First$CreateFileFindProcess32SnapshotToolhelp32lstrcmpi
                                                  • String ID: *.*
                                                  • API String ID: 2426144774-438819550
                                                  • Opcode ID: de35f2fe7da2166fd330db2f899db7dc96385a57442423c6bed61a66bd27dcea
                                                  • Instruction ID: 7fca822c69aa0bdc251b627e24b75498f17ae7f72a984a64137a0006d93f74ea
                                                  • Opcode Fuzzy Hash: de35f2fe7da2166fd330db2f899db7dc96385a57442423c6bed61a66bd27dcea
                                                  • Instruction Fuzzy Hash: 3B21D671848618AADF20DBB08C4AFEDFB799F29704F0041DCE609A6151EB75EBC48F51
                                                  Function 00413440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • printf.MSVCRT ref: 004134A0
                                                  • printf.MSVCRT ref: 004134AD
                                                  • printf.MSVCRT ref: 004134CC
                                                  • NtAllocateVirtualMemory.NTDLL(00000000,?,00000000,00447A80,00003000,00000040), ref: 004134F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: printf$AllocateMemoryVirtual
                                                  • String ID: Done frst$block_size: %d$ngr->blocksize: %d
                                                  • API String ID: 3635587295-1816125109
                                                  • Opcode ID: bedfe4cb0b068cd8303e2b2d345d3b8aba5a682ad138b8c50736f157ebf451f0
                                                  • Instruction ID: ac5db04ccd39406710930db4b525f5d13a42fab830cf40b066cac72d9517daf1
                                                  • Opcode Fuzzy Hash: bedfe4cb0b068cd8303e2b2d345d3b8aba5a682ad138b8c50736f157ebf451f0
                                                  • Instruction Fuzzy Hash: 1741E671B00204ABDB14DF59D845EDAB7A9EF84329F14855EF8098B341E739EE81CB98
                                                  Function 0041A550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00413920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 00413962
                                                    • Part of subcall function 00413750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0041376B
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,NtShutdownSystem), ref: 0041A57A
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041A58F
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041A5B3
                                                  • GetLastError.KERNEL32 ref: 0041A5B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: StringToken$AddressAdjustAnsiErrorLastLookupOpenPrivilegePrivilegesProcedureProcessUnicodeValue
                                                  • String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
                                                  • API String ID: 4135695518-1699316426
                                                  • Opcode ID: e401ab7d8b7e274deb60707e4e21c712fd6b356bb0a0aa6ea5e0a95b6805a09d
                                                  • Instruction ID: ce719d45ed82a32134bdd59ac659e71271161c151e0e1bb298eb8668f5cccfb8
                                                  • Opcode Fuzzy Hash: e401ab7d8b7e274deb60707e4e21c712fd6b356bb0a0aa6ea5e0a95b6805a09d
                                                  • Instruction Fuzzy Hash: F5F0F470B403087BE720EBE19C0AFEF76AC9B04B05F50002AB604E65D0DAF46A4087A9
                                                  Function 004142E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0ef2497d1d10084f524733944c15ef0b77a1b99eee6ef0a4cf96b1a67ec3c8af
                                                  • Instruction ID: 13c9212c214a369e3a8be5467fd77d8ffb447d9f978d4009432221f6a27fac1f
                                                  • Opcode Fuzzy Hash: 0ef2497d1d10084f524733944c15ef0b77a1b99eee6ef0a4cf96b1a67ec3c8af
                                                  • Instruction Fuzzy Hash: 7A31B3717002086BE7309F6AEC41FABB3ACEB84751F14456AFD19D7390DA35EC5186A8
                                                  Function 001C4AA0 Relevance: 7.6, APIs: 5, Instructions: 70memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000004), ref: 001C4AB9
                                                  • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040), ref: 001C4AE3
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 1d03fecafb927832c1b56995db8343ca10787987ca313c25909c9a4754ba3139
                                                  • Instruction ID: 7c9b425399b5ff55dee034202d4b51274e8dc648d549b04b6c358c2a9a6b1626
                                                  • Opcode Fuzzy Hash: 1d03fecafb927832c1b56995db8343ca10787987ca313c25909c9a4754ba3139
                                                  • Instruction Fuzzy Hash: 8D216F75A41208FFD704DFA4DD65FAB7BB9A748700F108109F6099B2D0C371EA80CB94
                                                  Function 001CA980 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 001CA98D
                                                  • OpenProcessToken.ADVAPI32(?,00000028,00000000), ref: 001CA9A0
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 001CA9B0
                                                  • AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 001CA9D4
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                  • String ID:
                                                  • API String ID: 2349140579-0
                                                  • Opcode ID: 1186a77a38318fb7df03def0a9baf702f74dcf1f6441803d7eb6448f009812ce
                                                  • Instruction ID: 789aa784d21a26b0889cbce1bfa8ccbf857fb916b0f074a5f4c945eb78303c7f
                                                  • Opcode Fuzzy Hash: 1186a77a38318fb7df03def0a9baf702f74dcf1f6441803d7eb6448f009812ce
                                                  • Instruction Fuzzy Hash: 23F0B275940208BBD700DFD0DC4AFEEBF78EB45705F504149FA0566181D6B596948B91
                                                  Function 004156E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 00415741
                                                  • NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 0041578B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: InformationQuerySystem
                                                  • String ID: (mB
                                                  • API String ID: 3562636166-2174679836
                                                  • Opcode ID: b8a4dbce6e9b7e0933e7fe25ca726c1a770d2db177b8296c536ff49a0fa80bbe
                                                  • Instruction ID: 13bb16fb7d6c963c787ee25748b6222dc4bfc38fe74f6d773d55575354a6365d
                                                  • Opcode Fuzzy Hash: b8a4dbce6e9b7e0933e7fe25ca726c1a770d2db177b8296c536ff49a0fa80bbe
                                                  • Instruction Fuzzy Hash: 03415F75A00619EBDB10CB94DD81BFBB3B8EB84704F04455AE915A7380E678E990CBA4
                                                  Function 00418C90 Relevance: 4.8, APIs: 3, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID:
                                                  • API String ID: 2221118986-0
                                                  • Opcode ID: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                  • Instruction ID: 06dfe64bf8f2ad8721a98eab49a1aea7adf2b80e948e2cbbc4f3e25cbaf5d822
                                                  • Opcode Fuzzy Hash: c0089952ace360ebcc3e34eb2580965971ac3f93c53b4d4a5c5986bf46cea3ca
                                                  • Instruction Fuzzy Hash: B8A15CB19007059FCB20DFA5D9808ABB7F9FF84314B14896FE506D7700EB38E9918B95
                                                  Function 0041F9E0 Relevance: 4.6, APIs: 3, Instructions: 65stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041F9FF
                                                  • GetLogicalDriveStringsA.KERNEL32(000001FF,00000000), ref: 0041FA22
                                                  • lstrcatA.KERNEL32(00000000,00423040), ref: 0041FA5C
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F459
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F472
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F48B
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F4A4
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F4BD
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F4D6
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F4F2
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F50B
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F526
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F541
                                                    • Part of subcall function 0041F430: memset.MSVCRT ref: 0041F55C
                                                    • Part of subcall function 0041F430: sprintf.MSVCRT ref: 0041F571
                                                    • Part of subcall function 0041F430: sprintf.MSVCRT ref: 0041F586
                                                    • Part of subcall function 0041F430: wsprintfW.USER32 ref: 0041F5A4
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: memset$sprintf$DriveLogicalStringslstrcatwsprintf
                                                  • String ID:
                                                  • API String ID: 563256260-0
                                                  • Opcode ID: cb1d075c2eb1a10e6ed9266434a9dcf2cb70e1b7714fff3b195ca3707688c638
                                                  • Instruction ID: e92a716cac05746de18c95dece2e690f00b6c28dde36f5ee2608688f4b44db25
                                                  • Opcode Fuzzy Hash: cb1d075c2eb1a10e6ed9266434a9dcf2cb70e1b7714fff3b195ca3707688c638
                                                  • Instruction Fuzzy Hash: D6117BB4A403486ADB20DBA49D41FDBB7B89F14348F0440BAE94CA3142E1785B4E87A9
                                                  Function 00418B30 Relevance: 3.1, APIs: 2, Instructions: 129windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00418B6E
                                                  • EncryptMessage.SECUR32(?,00000000,?,00000000,?,?,?), ref: 00418C29
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: EncryptMessagememset
                                                  • String ID:
                                                  • API String ID: 3924230039-0
                                                  • Opcode ID: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                  • Instruction ID: 83138c532f6e9c88225244caf939170b5a47c542ad4b8401346457828b1b41fa
                                                  • Opcode Fuzzy Hash: e2ab3e0427d67a117949027b41559f788fb6a7f02857e0614c7bc85d79e661e5
                                                  • Instruction Fuzzy Hash: 474100B1D01208DFCB50CF99D981ADEBBF5EF98314F14851EE849D7301D774AA458B94
                                                  Function 00419E7B Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNEL32(00000000,?,00008000,?,00000000), ref: 00419E8D
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 00419EA2
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ControlDeviceFileWrite
                                                  • String ID:
                                                  • API String ID: 564257829-0
                                                  • Opcode ID: 4afc479d102d37327b33d929bc579cdb8ed7c26de501414185cfffd94aca2a32
                                                  • Instruction ID: de1ac00e8cee967706b2a50cd59aceebd3bb40acd45985b772c4545cce475cdb
                                                  • Opcode Fuzzy Hash: 4afc479d102d37327b33d929bc579cdb8ed7c26de501414185cfffd94aca2a32
                                                  • Instruction Fuzzy Hash: 4BE0C2B2250208BDF620C294DC81FFB3B1CD784711F100163FE05D0080D964AD45D678
                                                  Function 0041D7A0 Relevance: 154.5, APIs: 54, Strings: 34, Instructions: 473memorystringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0041D7C3
                                                  • HeapAlloc.KERNEL32(?,00000008,00000800), ref: 0041D7D2
                                                  • memset.MSVCRT ref: 0041D7EE
                                                  • HeapFree.KERNEL32(?,?,00000000), ref: 0041D80B
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041D819
                                                  • GetLastError.KERNEL32 ref: 0041D82F
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041D83C
                                                  • GetLastError.KERNEL32 ref: 0041D852
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041D85B
                                                  • ReadFile.KERNEL32(?,00000000,00000800,00000000,00000000), ref: 0041D87A
                                                  • atoi.MSVCRT ref: 0041D8D3
                                                  • strchr.MSVCRT ref: 0041D8E8
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0041D900
                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0041D924
                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0041D930
                                                  • strchr.MSVCRT ref: 0041D93F
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041D952
                                                  • lstrcpynA.KERNEL32(00000000,00000001,00000000), ref: 0041D95E
                                                  • lstrcpynA.KERNEL32(?,00000000,00000001), ref: 0041D96D
                                                  • lstrcmpA.KERNEL32(?,ftplog), ref: 0041D97F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFree$ErrorLastlstrcpynlstrlenstrchr$FileReadatoilstrcmpmemset
                                                  • String ID: 0WB$30e4*ga1$4WB$8WB$<WB$@WB$FTP -> $POP3 -> $[DNS]: Blocked DNS "%s"$[FTP Infect]: %s was iframed$[FTP Login]: %s$[HTTP Login]: %s$[HTTP Traffic]: %s$[HTTP]: %s$[MSN]: %s$[PDef+]: %s$[POP3 Login]: %s$[Ruskill]: Detected DNS: "%s"$[Ruskill]: Detected File: "%s"$[Ruskill]: Detected Reg: "%s"$blk$block$disable$dns$ftpinfect$ftplog$httplogin$httpspread$httptraff$msn$poplog$rdns$rreg$ruskill
                                                  • API String ID: 1531277263-2009936158
                                                  • Opcode ID: d277c340f8bea3e55bc2c2d49f08d738a8c96279a95be2233f43ef0113d0f8bc
                                                  • Instruction ID: 2c2943cb04128b6d35297029cae5d0111cd3ecba60c7221066d127e6f45b2ece
                                                  • Opcode Fuzzy Hash: d277c340f8bea3e55bc2c2d49f08d738a8c96279a95be2233f43ef0113d0f8bc
                                                  • Instruction Fuzzy Hash: 34E14BB1B40714BBD720A7649C85FFF363CEF99745FA10126F90192291EBB89C42C6AD
                                                  Function 00420430 Relevance: 112.3, APIs: 51, Strings: 13, Instructions: 334stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,00000000,00000000,771B0440), ref: 00420446
                                                  • GetProcessHeap.KERNEL32(00000008,00000001), ref: 0042044C
                                                  • HeapAlloc.KERNEL32(00000000), ref: 00420453
                                                  • memset.MSVCRT ref: 0042048B
                                                  • GetProcessHeap.KERNEL32 ref: 00420493
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 004204A9
                                                  • sscanf.MSVCRT ref: 004204C5
                                                  • strstr.MSVCRT ref: 004204DC
                                                  • lstrlenA.KERNEL32(00412780), ref: 004204F0
                                                  • lstrlenA.KERNEL32(?), ref: 004204FA
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 00420505
                                                  • strtok.MSVCRT ref: 0042051B
                                                  • lstrcpyA.KERNEL32(00000000,00421335), ref: 00420534
                                                  • _memicmp.MSVCRT ref: 00420557
                                                  • lstrlenA.KERNEL32(00412780), ref: 00420567
                                                  • _snprintf.MSVCRT ref: 0042057B
                                                  • _memicmp.MSVCRT ref: 00420596
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004205A7
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004205F1
                                                  • lstrcatA.KERNEL32(00000000,00422B84), ref: 004205F9
                                                  • strtok.MSVCRT ref: 00420602
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0042061C
                                                  • lstrcatA.KERNEL32(00000000,), ref: 00420624
                                                  • lstrcatA.KERNEL32(00000000,00412780), ref: 0042062B
                                                  • lstrlenA.KERNEL32(00000000), ref: 0042062E
                                                  • _snprintf.MSVCRT ref: 00420646
                                                  • lstrlenA.KERNEL32(00000000), ref: 0042064F
                                                  • lstrlenA.KERNEL32(?), ref: 0042065A
                                                  • HeapAlloc.KERNEL32(?,00000008,00000040), ref: 00420667
                                                  • _snprintf.MSVCRT ref: 00420688
                                                  • sscanf.MSVCRT ref: 004206A0
                                                  • strstr.MSVCRT ref: 004206B7
                                                  • strstr.MSVCRT ref: 004206D2
                                                  • lstrlenA.KERNEL32(00000000), ref: 004206E6
                                                  • lstrlenA.KERNEL32(-00000002), ref: 004206F3
                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 004206FF
                                                  • lstrlenA.KERNEL32(00000000), ref: 00420714
                                                  • lstrlenA.KERNEL32(-00000002), ref: 00420721
                                                  • lstrcpynA.KERNEL32(?,-00000002,?), ref: 0042072C
                                                  • lstrlenA.KERNEL32(?), ref: 00420736
                                                  • lstrlenA.KERNEL32(00412780), ref: 0042073E
                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 0042074B
                                                  • lstrlenA.KERNEL32(?,?,00412780), ref: 00420761
                                                  • lstrlenA.KERNEL32(00412780), ref: 0042076A
                                                  • _snprintf.MSVCRT ref: 00420787
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0042079F
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 004207AC
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004207B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$lstrcat$Alloc$_snprintf$Freestrstr$Process_memicmplstrcpysscanfstrtok$lstrcpynmemset
                                                  • String ID: $%s%s$Content-Length: $Content-Length: %d$From: $MSG %d %1s$MSG %d %s %d%s%s$Reliability: $SDG $SDG $SDG %d$SDG %d %d$X-MMS-IM-Format:
                                                  • API String ID: 375969099-2909086048
                                                  • Opcode ID: f969e77bdbe2cbedb84d0cfb1a2f46922416567fa1ba93b9f72692ec9899350e
                                                  • Instruction ID: 60bbb0d75eeb01cef81d1bbf947f89b089fb49f282d40385a97ecfe41ce46943
                                                  • Opcode Fuzzy Hash: f969e77bdbe2cbedb84d0cfb1a2f46922416567fa1ba93b9f72692ec9899350e
                                                  • Instruction Fuzzy Hash: 90A15871B00329BBDB10DBA4AC85EBF77BCEF58704F904556F904A3242DA78DE418B69
                                                  Function 0041F430 Relevance: 91.4, APIs: 47, Strings: 5, Instructions: 431filestringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041F459
                                                  • memset.MSVCRT ref: 0041F472
                                                  • memset.MSVCRT ref: 0041F48B
                                                  • memset.MSVCRT ref: 0041F4A4
                                                  • memset.MSVCRT ref: 0041F4BD
                                                  • memset.MSVCRT ref: 0041F4D6
                                                  • memset.MSVCRT ref: 0041F4F2
                                                  • memset.MSVCRT ref: 0041F50B
                                                  • memset.MSVCRT ref: 0041F526
                                                  • memset.MSVCRT ref: 0041F541
                                                  • memset.MSVCRT ref: 0041F55C
                                                  • sprintf.MSVCRT ref: 0041F571
                                                  • sprintf.MSVCRT ref: 0041F586
                                                  • wsprintfW.USER32 ref: 0041F5A4
                                                  • sprintf.MSVCRT ref: 0041F5BC
                                                  • sprintf.MSVCRT ref: 0041F5D3
                                                  • sprintf.MSVCRT ref: 0041F5EC
                                                  • wsprintfW.USER32 ref: 0041F607
                                                  • wsprintfW.USER32 ref: 0041F61B
                                                    • Part of subcall function 00411CF0: GetFileAttributesW.KERNEL32(?), ref: 00411CF7
                                                  • _stricmp.MSVCRT(00000000,ERR), ref: 0041F64B
                                                  • _stricmp.MSVCRT(0045A920,00000000), ref: 0041F65D
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0041F684
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0041F692
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0041F6A0
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0041F6AA
                                                  • GetLastError.KERNEL32 ref: 0041F6B4
                                                  • CopyFileW.KERNEL32(0045B9A0,?,00000000), ref: 0041F6CE
                                                  • lstrlenA.KERNEL32([.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E},00000000), ref: 0041F6DE
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0041F747
                                                  • lstrcpyA.KERNEL32(?,0000422F), ref: 0041F7DA
                                                  • lstrcatA.KERNEL32(?,?), ref: 0041F7EE
                                                    • Part of subcall function 00411EA0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00411ECD
                                                    • Part of subcall function 00411EA0: GetLastError.KERNEL32 ref: 00411EDA
                                                  • lstrcatA.KERNEL32(?,00422B84), ref: 0041F800
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0041F813
                                                  • lstrlenA.KERNEL32(0000422F,?,00000000), ref: 0041F828
                                                  • WriteFile.KERNEL32(00000000,0000422F,00000000), ref: 0041F837
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0041F87C
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0041F88B
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041F8B1
                                                  • Sleep.KERNEL32(00000032), ref: 0041F8C4
                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0041F901
                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0041F93A
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0041F97D
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041F984
                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041F98D
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0041F9BE
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0041F9C5
                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0041F9CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$memset$Attributes$Createsprintf$lstrlen$wsprintf$ErrorLastLockSizeWrite_stricmplstrcat$CloseCopyDirectoryHandleSleeplstrcpy
                                                  • String ID: %S%S\$%s%s$ERR$[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}$usbi
                                                  • API String ID: 2867265384-2420988572
                                                  • Opcode ID: 00d1d795e2d1d27c66a4ec85e28aef2d1caf98f1bb64f66cc20c79bb8584df19
                                                  • Instruction ID: ae1d397e02b1295864b80d697fa7216f29a20096a6e041bdf3a8a2d562a3aa5c
                                                  • Opcode Fuzzy Hash: 00d1d795e2d1d27c66a4ec85e28aef2d1caf98f1bb64f66cc20c79bb8584df19
                                                  • Instruction Fuzzy Hash: 39E1C8B1A40228BAD730DB60DC45FEB777CEF58704F4044AAF609A2191D7B85AC5CBAD
                                                  Function 0041E9F0 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 271stringfilethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041EA0F
                                                  • LoadLibraryW.KERNEL32(ws2_32.dll), ref: 0041EA22
                                                  • LoadLibraryW.KERNEL32(secur32.dll), ref: 0041EA29
                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 0041EA30
                                                  • CreateMutexA.KERNEL32(00000000,00000000,004257AC), ref: 0041EA3B
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041EA44
                                                    • Part of subcall function 00417330: memset.MSVCRT ref: 00417351
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(?), ref: 00417369
                                                    • Part of subcall function 00417330: _snprintf.MSVCRT ref: 00417381
                                                    • Part of subcall function 00417330: _vsnprintf.MSVCRT ref: 004173A3
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(00000000), ref: 004173B2
                                                  • CopyFileW.KERNEL32(0045AFB0,0045ADA0,00000000), ref: 0041EACF
                                                    • Part of subcall function 0041D6B0: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0041D731
                                                    • Part of subcall function 0041D6B0: RegCloseKey.ADVAPI32(?), ref: 0041D740
                                                  • Sleep.KERNEL32(000003E8), ref: 0041EAFC
                                                    • Part of subcall function 00411AD0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00411AE9
                                                  • DeleteFileW.KERNEL32(0045AFB0), ref: 0041EB2F
                                                  • Sleep.KERNEL32(00003A98), ref: 0041EB3A
                                                  • DeleteFileW.KERNEL32(0045AFB0), ref: 0041EB41
                                                  • lstrcpyA.KERNEL32(0045A920,ERR), ref: 0041EB61
                                                  • lstrlenA.KERNEL32(004257C0), ref: 0041EB72
                                                  • lstrlenA.KERNEL32(004257C0), ref: 0041EBB5
                                                  • _snprintf.MSVCRT ref: 0041EBDE
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041EC15
                                                  • InitializeCriticalSection.KERNEL32(0045B3C8), ref: 0041EC32
                                                  • memset.MSVCRT ref: 0041EC5F
                                                  • wsprintfW.USER32 ref: 0041EC75
                                                  • DeleteFileW.KERNEL32(?), ref: 0041EC95
                                                  • GetLastError.KERNEL32 ref: 0041EC97
                                                    • Part of subcall function 00411CF0: GetFileAttributesW.KERNEL32(?), ref: 00411CF7
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E880,00000000,00000000,00000000), ref: 0041ECB2
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041ECBB
                                                  • CreateThread.KERNEL32(00000000,00000000,0041E990,00000000,00000000,00000000), ref: 0041ECCC
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041ECCF
                                                  • lstrlenA.KERNEL32(0045B3E0), ref: 0041ED26
                                                  • lstrlenA.KERNEL32(0045AC50,?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000), ref: 0041ED5E
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E770,0045B990,00000000,00000000), ref: 0041ED83
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041ED86
                                                  • CreateThread.KERNEL32(00000000,00000000,0041FC90,00000000,00000000,00000000), ref: 0041EDA1
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041EDA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$File$CloseCreate$HandleThread$DeleteLibraryLoadmemset$SleepTime_snprintf$AttributesCopyCriticalErrorInitializeLastMutexObjectSectionSingleSystemValueWait_vsnprintflstrcpywsprintf
                                                  • String ID: %s:Zone.Identifier$ERR$IPC_Check$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$binBot$msnint$msnmsg$running$secur32.dll$wininet.dll$ws2_32.dll
                                                  • API String ID: 4164503275-2890300057
                                                  • Opcode ID: 49ba17469f0f007f04f463ef86c7db8705a3d2467b1efcd106ca658ad7ee1c28
                                                  • Instruction ID: b969bdae5fbe6de98cebd6323fc2e80d53c2c13920fd58ced1062e484da86d0f
                                                  • Opcode Fuzzy Hash: 49ba17469f0f007f04f463ef86c7db8705a3d2467b1efcd106ca658ad7ee1c28
                                                  • Instruction Fuzzy Hash: 9A81F7B5BC031436E6207762AC07F9B36189B50B06F640127FE05B51D3DAFCA69485AE
                                                  Function 0041E130 Relevance: 59.8, APIs: 24, Strings: 10, Instructions: 255sleepstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(0045B3C8), ref: 0041E14B
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A013
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A04F
                                                  • GetLastError.KERNEL32 ref: 0041E17E
                                                  • GetLastError.KERNEL32 ref: 0041E18B
                                                  • GetLastError.KERNEL32 ref: 0041E198
                                                  • GetLastError.KERNEL32 ref: 0041E1A5
                                                  • Sleep.KERNEL32(00003A98), ref: 0041E1C8
                                                  • Sleep.KERNEL32(000003E8), ref: 0041E22B
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041E24D
                                                  • _memicmp.MSVCRT ref: 0041E259
                                                  • MoveFileExW.KERNEL32(00000000,0045ADA0,0000000B), ref: 0041E292
                                                  • MoveFileExW.KERNEL32(00000000,0045ADA0,00000004), ref: 0041E2A4
                                                  • lstrcpyA.KERNEL32(0045A920,00000000), ref: 0041E2C0
                                                  • lstrcmpA.KERNEL32(?,00422C7C), ref: 0041E2D3
                                                  • Sleep.KERNEL32(000007D0), ref: 0041E2FA
                                                  • Sleep.KERNEL32(000007D0), ref: 0041E30A
                                                    • Part of subcall function 0041BA00: memset.MSVCRT ref: 0041BA1E
                                                    • Part of subcall function 0041BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0041BA42
                                                  • DeleteFileW.KERNEL32(00000000), ref: 0041E43A
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041E45D
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041E46B
                                                  • LeaveCriticalSection.KERNEL32(0045B3C8), ref: 0041E478
                                                  Strings
                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0041E405
                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0041E383, 0041E3AE
                                                  • QUIT :%s, xrefs: 0041E2E3
                                                  • bsod, xrefs: 0041E312
                                                  • [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d, xrefs: 0041E41C
                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0041E36E
                                                  • rebooting, xrefs: 0041E2DE
                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0041E3D1
                                                  • [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s), xrefs: 0041E359
                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0041E3F4
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastSleep$File$CriticalMoveSectionstrtok$??3@DeleteEnterFreeHeapLeave_memicmplstrcmplstrcpylstrlenmemsetwvsprintf
                                                  • String ID: QUIT :%s$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$bsod$rebooting
                                                  • API String ID: 4206007775-4213298338
                                                  • Opcode ID: ab01d693464fe8b1ec769856fac6418db6318af6be404e28e30833eaac361824
                                                  • Instruction ID: 854ea0b46cbfa93705d0009023abc5f9715b07d37d0103b094f052437704be04
                                                  • Opcode Fuzzy Hash: ab01d693464fe8b1ec769856fac6418db6318af6be404e28e30833eaac361824
                                                  • Instruction Fuzzy Hash: 948127B8B40204BBD7209B96DC0AFBF7778EF58705F60411BFD0192292D77899918B6E
                                                  Function 001C9060 Relevance: 58.0, APIs: 23, Strings: 10, Instructions: 297stringfileregistryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 001C90A3
                                                  • GetProcAddress.KERNEL32(00000000), ref: 001C90AA
                                                    • Part of subcall function 001CB4F0: GetVersionExA.KERNEL32(0000009C), ref: 001CB520
                                                    • Part of subcall function 001CA860: GetCurrentProcess.KERNEL32(00000000), ref: 001CA878
                                                  • GetWindowsDirectoryA.KERNEL32(001D1628,000001FF), ref: 001C90E6
                                                  • lstrlenA.KERNEL32(001D1628), ref: 001C90F1
                                                  • RegEnumKeyA.ADVAPI32(80000003,00000000,?,000000FF), ref: 001C9196
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C91B2
                                                  • lstrcatA.KERNEL32(?,001C2678), ref: 001C91C4
                                                  • lstrcatA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\Run), ref: 001C91D6
                                                  • lstrcpyA.KERNEL32(?,?), ref: 001C9214
                                                  • lstrcatA.KERNEL32(?,001C267C), ref: 001C9226
                                                  • lstrcatA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\RunOnce), ref: 001C9238
                                                    • Part of subcall function 001CB5E0: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,001C90D7), ref: 001CB61B
                                                    • Part of subcall function 001CB5E0: CheckTokenMembership.ADVAPI32(00000000,001C90D7,00000000), ref: 001CB634
                                                    • Part of subcall function 001CB5E0: FreeSid.ADVAPI32(001C90D7), ref: 001CB649
                                                    • Part of subcall function 001C9660: RegOpenKeyExA.ADVAPI32(80000002,001C9133,00000000,00000003,?), ref: 001C967C
                                                    • Part of subcall function 001C9660: RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,?,00000100), ref: 001C9702
                                                    • Part of subcall function 001C9660: StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001C976E
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C934B
                                                  • wsprintfA.USER32 ref: 001C93C1
                                                  • wsprintfA.USER32 ref: 001C93E4
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 001C93F6
                                                  • wsprintfA.USER32 ref: 001C9449
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,000000FF), ref: 001C9460
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C9472
                                                  • DeleteFileA.KERNEL32(?), ref: 001C947F
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C9495
                                                  • SetFileAttributesA.KERNEL32(?,00000002), ref: 001C94A4
                                                    • Part of subcall function 001CB1A0: SetLastError.KERNEL32(00000000), ref: 001CB1AB
                                                    • Part of subcall function 001CB1A0: RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,00000002,00000000,001C94B6,00000000), ref: 001CB1D4
                                                    • Part of subcall function 001CB1A0: GetLastError.KERNEL32 ref: 001CB1DA
                                                    • Part of subcall function 001CB1A0: wsprintfA.USER32 ref: 001CB20A
                                                    • Part of subcall function 001CB1A0: lstrlenA.KERNEL32(?), ref: 001CB21A
                                                    • Part of subcall function 001CB1A0: RegSetValueExA.ADVAPI32(001C94B6,Windows Update,00000000,00000001,?,?), ref: 001CB241
                                                    • Part of subcall function 001CB1A0: RegCloseKey.ADVAPI32(001C94B6), ref: 001CB24B
                                                  • lstrcatA.KERNEL32(?,:Zone.Identifier), ref: 001C94C5
                                                  • DeleteFileA.KERNEL32(?), ref: 001C94D2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$lstrcat$wsprintf$AttributesCreateDeleteDirectoryEnumErrorLastModuleValuelstrcpylstrlen$AddressAllocateCheckCloseCopyCurrentFolderFreeHandleInitializeMembershipNameOpenPathProcProcessTokenVersionWindows
                                                  • String ID: %s\%s$%s\%s\%s.exe$:Zone.Identifier$IsWow64Process$Microsoft\Windows\%s$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\RunOnce$WindowsId$WindowsId$kernel32.dll
                                                  • API String ID: 2800550178-2013823201
                                                  • Opcode ID: 1440048200941f306daa161745a4e934e322c11f047541155cf7432f86f7677c
                                                  • Instruction ID: 3b33fca4c2f7886d029b98b370b10c57f92f04cb8ae992e2eb0286d08313d0f6
                                                  • Opcode Fuzzy Hash: 1440048200941f306daa161745a4e934e322c11f047541155cf7432f86f7677c
                                                  • Instruction Fuzzy Hash: 1CB196B5941218BBE710EB60AC4AFE93738AB74704F04449CF709A5092EBB6D7D4CFA5
                                                  Function 0041DDB0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 281sleepstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(0045B3C8), ref: 0041DDCF
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A013
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A04F
                                                  • strstr.MSVCRT ref: 0041DDF4
                                                  • lstrlenA.KERNEL32(?), ref: 0041DE11
                                                  • toupper.MSVCRT ref: 0041DE28
                                                  • GetLastError.KERNEL32 ref: 0041DE68
                                                  • GetLastError.KERNEL32 ref: 0041DE71
                                                  • GetLastError.KERNEL32 ref: 0041DE7A
                                                  • GetLastError.KERNEL32 ref: 0041DE83
                                                  • Sleep.KERNEL32(00003A98), ref: 0041DEA8
                                                  • Sleep.KERNEL32(000003E8), ref: 0041DF16
                                                  • _stricmp.MSVCRT(?,00000000), ref: 0041DF3D
                                                  • Sleep.KERNEL32(00000032), ref: 0041DF6A
                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"],?,?,?,00000000), ref: 0041E021
                                                  • GetLastError.KERNEL32 ref: 0041E059
                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] Error creating process "%S" [e="%d"],?,?,?,00000000), ref: 0041E037
                                                    • Part of subcall function 0041BA00: memset.MSVCRT ref: 0041BA1E
                                                    • Part of subcall function 0041BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0041BA42
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041E0DD
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041E0EB
                                                  • LeaveCriticalSection.KERNEL32(0045B3C8), ref: 0041E0F8
                                                  Strings
                                                  • ERR, xrefs: 0041DFEC
                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0041E08E
                                                  • [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"], xrefs: 0041E030
                                                  • [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d, xrefs: 0041E0A5
                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0041E042
                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0041E017
                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0041E060
                                                  • dlds, xrefs: 0041DE44, 0041DFA6
                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0041E080
                                                  • exe, xrefs: 0041DEE4
                                                  • http://, xrefs: 0041DDEE
                                                  • [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s), xrefs: 0041DFFE
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Sleep$CriticalSectionstrtok$??3@EnterFreeHeapLeave_stricmplstrlenmemsetstrstrtoupperwvsprintf
                                                  • String ID: ERR$[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]$[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$dlds$exe$http://
                                                  • API String ID: 3190375853-4059846736
                                                  • Opcode ID: 7a0ec80611dd4b87f955edac1f86eba5e650d910ac34ca31be0f87228dbae00d
                                                  • Instruction ID: b284f696f9923f75869a390a1805331de9659b94c2c00b3f9388987f81c3e10e
                                                  • Opcode Fuzzy Hash: 7a0ec80611dd4b87f955edac1f86eba5e650d910ac34ca31be0f87228dbae00d
                                                  • Instruction Fuzzy Hash: 3291F4B9E00314ABD710DB95DC85ABFB7B8EF58705F20401AE90597281D778EE82C66E
                                                  Function 00417870 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 249stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00417898
                                                  • lstrlenA.KERNEL32(-00000005,00000000,00000000,?,?,?,00000000,?), ref: 0041795D
                                                  • _snprintf.MSVCRT ref: 0041797B
                                                  • _snprintf.MSVCRT ref: 004179B7
                                                  • lstrlenA.KERNEL32(0045A2B0,?,00000000,?), ref: 00417A5A
                                                  • lstrlenA.KERNEL32(0045A4B0), ref: 00417A69
                                                  • _snprintf.MSVCRT ref: 00417AD9
                                                  • _stricmp.MSVCRT(0045A2B0,anonymous,00000000,000001FF,ftp://%s:%s@%s:%d,0045A2B0,0045A4B0,00000000,00000000), ref: 00417AE8
                                                  • _snprintf.MSVCRT ref: 00417B66
                                                    • Part of subcall function 00412460: GetProcessHeap.KERNEL32(?,004120DE,?), ref: 0041246C
                                                    • Part of subcall function 00412460: HeapAlloc.KERNEL32(?,00000008,004120DE,?,004120DE,?), ref: 0041247E
                                                  • lstrcpyA.KERNEL32(0045A2B0,00421335,?,00000000,?), ref: 00417BBC
                                                  • lstrcpyA.KERNEL32(0045A4B0,00421335), ref: 00417BC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _snprintf$lstrlen$Heaplstrcpy$AllocProcess_stricmpmemset
                                                  • String ID: %s.%s (p='%S')$%s:%s@%s:%d$FEAT$LIST$PASS$PASV$STAT$TYPE$USER$anonymous$block$ftp://%s:%s@%s:%d$ftpgrab$ftplog$pop3://%s:%s@%s:%d$popgrab$poplog
                                                  • API String ID: 389836911-2374598668
                                                  • Opcode ID: 987f5ee1716fcc7e7ceee375423250352b2682d8e3b59baf9ed34d0e7aacfa1b
                                                  • Instruction ID: 79dbc9aecdc4cccd21d5089985300e295a1c9f9fb22c09571650fb91dabbb524
                                                  • Opcode Fuzzy Hash: 987f5ee1716fcc7e7ceee375423250352b2682d8e3b59baf9ed34d0e7aacfa1b
                                                  • Instruction Fuzzy Hash: DD816970B0C3596BEB20AB649C46FEF3A745F11749F28016BE844A2293D77CD9D8864F
                                                  Function 00420910 Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 172sleepstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00420930
                                                  • GetProcessHeap.KERNEL32 ref: 0042093D
                                                  • memset.MSVCRT ref: 0042095D
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 00420982
                                                  • ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000,00000005), ref: 004209BF
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417401
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417419
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 00417431
                                                    • Part of subcall function 004173E0: _snprintf.MSVCRT ref: 00417449
                                                    • Part of subcall function 004173E0: _vsnprintf.MSVCRT ref: 0041746B
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 0041747A
                                                  • GetTickCount.KERNEL32 ref: 004209CF
                                                  • Sleep.KERNEL32 ref: 00420A05
                                                  • OpenMutexA.KERNEL32(001F0001,00000000,004257AC), ref: 00420A17
                                                  • GetLastError.KERNEL32 ref: 00420A27
                                                  • GetLastError.KERNEL32 ref: 00420A2E
                                                  • ExitProcess.KERNEL32 ref: 00420A32
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 00420A3D
                                                  • _snprintf.MSVCRT ref: 00420A60
                                                  • ExitProcess.KERNEL32 ref: 00420A79
                                                  • ExitProcess.KERNEL32 ref: 00420A98
                                                  • GetModuleFileNameW.KERNEL32(00000000,0045AFB0,00000208), ref: 00420ACC
                                                  • wsprintfW.USER32 ref: 00420ADE
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0045ADA0,000000FF,0045AC50,00000104,00000000,00000000), ref: 00420B06
                                                  • lstrcpynW.KERNEL32(0045B1B8,00000000,00000208), ref: 00420B13
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,0045B3E0,00000104,00000000,00000000), ref: 00420B2E
                                                  • Sleep.KERNEL32(000009C4), ref: 00420B59
                                                  • ExitProcess.KERNEL32 ref: 00420B70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$Exitmemset$lstrlen$ByteCharErrorFileLastModuleMultiNameSleepWide_snprintf$CountExecuteHeapMutexOpenShellTick_vsnprintflstrcpynwsprintf
                                                  • String ID: %08x$%s\Microsoft\Windows\%s.exe$30e4*ga1$OPEN$binBot$running
                                                  • API String ID: 2173303953-531062012
                                                  • Opcode ID: c86250ac3f40cdcaaf89eeccb4e082947f226068eba17055f91b968850c75a4f
                                                  • Instruction ID: 4b0826a72771618553880cf939d3ff7d3e19dd8a29520326c45bdf8154478506
                                                  • Opcode Fuzzy Hash: c86250ac3f40cdcaaf89eeccb4e082947f226068eba17055f91b968850c75a4f
                                                  • Instruction Fuzzy Hash: 94515A75B803187BE720B7A1AC0BFDA3A689F54B05F904066F608E61D2DAF85580876E
                                                  Function 0041FE00 Relevance: 48.2, APIs: 32, Instructions: 223stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,0042037C,?,004232E4,00000000,00000000,httpi), ref: 0041FE11
                                                  • lstrlenA.KERNEL32(?), ref: 0041FE40
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0041FE47
                                                  • lstrlenA.KERNEL32(?), ref: 0041FE5E
                                                  • lstrlenA.KERNEL32(?), ref: 0041FE72
                                                  • lstrlenA.KERNEL32(?), ref: 0041FE7C
                                                  • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 0041FE89
                                                  • strtok.MSVCRT ref: 0041FEA2
                                                  • lstrcpyA.KERNEL32(00000000,00421335), ref: 0041FEBB
                                                  • lstrcatA.KERNEL32(00000000,004219DC), ref: 0041FECD
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041FEE4
                                                  • _memicmp.MSVCRT ref: 0041FEEF
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0041FF0A
                                                  • lstrlenA.KERNEL32(?), ref: 0041FF14
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0041FF1F
                                                  • lstrlenA.KERNEL32(?), ref: 0041FF33
                                                  • lstrcatA.KERNEL32(00000000,00423328), ref: 0041FF4B
                                                  • strstr.MSVCRT ref: 0041FF5C
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041FF65
                                                  • lstrlenA.KERNEL32(?), ref: 0041FF6B
                                                  • strncat.MSVCRT ref: 0041FF77
                                                  • lstrcatA.KERNEL32(00000000,00422B54), ref: 0041FF85
                                                  • lstrlenA.KERNEL32(?), ref: 0041FF8F
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0041FF9A
                                                  • lstrlenA.KERNEL32(?), ref: 0041FFAA
                                                    • Part of subcall function 0041FD80: isalnum.MSVCRT ref: 0041FDAC
                                                    • Part of subcall function 0041FD80: strchr.MSVCRT ref: 0041FDBE
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0041FFBE
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041FFCB
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0041FFDF
                                                  • strtok.MSVCRT ref: 0041FFEC
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0042000F
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0042001C
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0042003C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$lstrcat$AllocFree$strtok$Process_memicmpisalnumlstrcpystrchrstrncatstrstr
                                                  • String ID:
                                                  • API String ID: 423345748-0
                                                  • Opcode ID: 9f8978a19bd3f831720ce571727c20864d20c3903ab2354968763a010ba6f0be
                                                  • Instruction ID: 2f48b936e12393e4adaf787c038c34e5fd1dc6de7ff3c2c97ebc9a65ac09810b
                                                  • Opcode Fuzzy Hash: 9f8978a19bd3f831720ce571727c20864d20c3903ab2354968763a010ba6f0be
                                                  • Instruction Fuzzy Hash: B0617175A00215BBDB209FA4EC85EBF77B8AB48700F50412AF904D7351DB78D98687A8
                                                  Function 004199B0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 205networkstringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004199D5
                                                  • memset.MSVCRT ref: 004199EF
                                                  • WSAStartup.WS2_32(00000002,?), ref: 00419A00
                                                    • Part of subcall function 00419300: inet_addr.WS2_32(n"A), ref: 00419308
                                                    • Part of subcall function 00419300: gethostbyname.WS2_32(n"A), ref: 00419313
                                                  • htons.WS2_32(00000050), ref: 00419A28
                                                  • GetTickCount.KERNEL32 ref: 00419A3A
                                                  • GetTickCount.KERNEL32 ref: 00419A4D
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 00419A7B
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00419A96
                                                  • connect.WS2_32(?,?,00000010), ref: 00419AB1
                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 00419ABE
                                                  • GetTickCount.KERNEL32 ref: 00419AC4
                                                  • lstrcpyA.KERNEL32(00000000,X-a: b), ref: 00419AFE
                                                  • lstrcpyA.KERNEL32(00000000,Connection: Close), ref: 00419B0C
                                                  • lstrlenA.KERNEL32(00000000), ref: 00419B0F
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00419B41
                                                  • Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000), ref: 00419B51
                                                  • lstrlenA.KERNEL32(00000000), ref: 00419B5E
                                                  • GetTickCount.KERNEL32 ref: 00419B66
                                                  • Sleep.KERNEL32(000009C4), ref: 00419B7F
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00419BBE
                                                  • GetTickCount.KERNEL32 ref: 00419BD2
                                                  • lstrlenA.KERNEL32(00000000), ref: 00419BE4
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 00419C1E
                                                  • closesocket.WS2_32(?), ref: 00419C38
                                                  • GetTickCount.KERNEL32 ref: 00419C43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleeplstrlensend$lstrcpymemset$Startupclosesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                  • String ID: Connection: Close$X-a: b
                                                  • API String ID: 1989272289-3524857483
                                                  • Opcode ID: 6250cc3b7e7f298878aa9f132e20f5f7dcf418798275861871b4627d61a82a65
                                                  • Instruction ID: 2a7b7acb82b5327b42731a0299d6e4f576f8295853281f86954adcefb9bfd573
                                                  • Opcode Fuzzy Hash: 6250cc3b7e7f298878aa9f132e20f5f7dcf418798275861871b4627d61a82a65
                                                  • Instruction Fuzzy Hash: CD714271A00164BBD720EBA0EC45FEE73B9EF48704F414966EA09D3150D674AEC2CF99
                                                  Function 0041AFA0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 149stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Alloc_memicmp_snprintfmemsetstrtok$Freelstrcpynsscanf
                                                  • String ID: HTTP$Host: $POST /%1023s$http://%s/$http://%s/%s
                                                  • API String ID: 3179755921-1264106924
                                                  • Opcode ID: 2e3799b1ece33de6a0b041ee7edd6b4a89029aeae8dabcca64766f6cac78a4fe
                                                  • Instruction ID: 07eddd43ac8ad25a03807d2366656c5095ab4af54a6df47c86149c6cbf6dde05
                                                  • Opcode Fuzzy Hash: 2e3799b1ece33de6a0b041ee7edd6b4a89029aeae8dabcca64766f6cac78a4fe
                                                  • Instruction Fuzzy Hash: 534149B2E4022877D730EB609D42FEB77ACEF48350F454196FB08A2141E7789E458BE9
                                                  Function 001CAC40 Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 175registrystringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001CACAD
                                                    • Part of subcall function 001CA9E0: GetTickCount.KERNEL32 ref: 001CA9ED
                                                  • wsprintfA.USER32 ref: 001CACD7
                                                  • wsprintfA.USER32 ref: 001CAD0B
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 001CAD1D
                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 001CAD2A
                                                  • wsprintfA.USER32 ref: 001CAD67
                                                    • Part of subcall function 001CAC10: CoCreateGuid.OLE32(?), ref: 001CAC1A
                                                    • Part of subcall function 001CAC10: UuidToStringA.RPCRT4(?,?), ref: 001CAC28
                                                    • Part of subcall function 001CAC10: lstrcpyA.KERNEL32(?,?), ref: 001CAC36
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 001CADC7
                                                  • lstrlenA.KERNEL32(?), ref: 001CADD4
                                                  • RegSetValueExA.ADVAPI32(00000000,WindowsMark,00000000,00000001,?,00000000), ref: 001CADF2
                                                  • lstrlenA.KERNEL32(001D11B8), ref: 001CADFD
                                                  • RegSetValueExA.ADVAPI32(00000000,WindowsId,00000000,00000001,001D11B8,00000000), ref: 001CAE19
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CAE26
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000100), ref: 001CAE3A
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001CAE50
                                                  • CloseHandle.KERNEL32(?), ref: 001CAE5D
                                                  • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001CAEBB
                                                  • ExitProcess.KERNEL32 ref: 001CAEC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Create$wsprintf$CloseDirectoryFileProcessValuelstrlen$CopyCountCurrentExitFolderGuidHandleModuleNamePathStringTickUuidlstrcpy
                                                  • String ID: %s\%s$%s\%s\%s.exe$D$Microsoft\Windows\%$Software\WindowsId Manager Reader$WindowsId$WindowsMark
                                                  • API String ID: 1366244133-3970825820
                                                  • Opcode ID: d8785e6697a6c316442d80f42dcd0f940f99833aef65ce3075f8be8ac311e097
                                                  • Instruction ID: 8691f2cdfc18b73064b031cfdd27b204d5abf0ccabbfeb572a4285a7e9d44537
                                                  • Opcode Fuzzy Hash: d8785e6697a6c316442d80f42dcd0f940f99833aef65ce3075f8be8ac311e097
                                                  • Instruction Fuzzy Hash: 0E5175B6A803187BDB20D7A0DC4AFD9773CAB65B00F440588B345A50D2EFB496D4CFA5
                                                  Function 00416A40 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 166stringthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00416A68
                                                  • lstrlenA.KERNEL32 ref: 00416B03
                                                  • _memicmp.MSVCRT ref: 00416B0E
                                                  • _memicmp.MSVCRT ref: 00416B22
                                                  • _memicmp.MSVCRT ref: 00416B36
                                                  • sscanf.MSVCRT ref: 00416B4F
                                                  • sscanf.MSVCRT ref: 00416B69
                                                  • lstrlenA.KERNEL32(?), ref: 00416BD5
                                                  • SetFileAttributesW.KERNEL32(0045A710,00000080), ref: 00416C31
                                                  • MoveFileExW.KERNEL32(0045A710,00000000,00000004), ref: 00416C40
                                                  • closesocket.WS2_32(?), ref: 00416C60
                                                  • ExitThread.KERNEL32 ref: 00416C67
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A335
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A34F
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A369
                                                    • Part of subcall function 0041A310: _vsnprintf.MSVCRT ref: 0041A382
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A39A
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB,%s.%s,blk,?,?,000001FE,00420A8E), ref: 0041A3AD
                                                    • Part of subcall function 0041A310: _snprintf.MSVCRT ref: 0041A3CC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB), ref: 0041A3DB
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A3EC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A3FB
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A404
                                                    • Part of subcall function 0041A310: EnterCriticalSection.KERNEL32(0045AC34,?,?,00000000), ref: 0041A436
                                                    • Part of subcall function 0041A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0041A452
                                                    • Part of subcall function 0041A310: LeaveCriticalSection.KERNEL32(0045AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A464
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$File_memicmp$CriticalSectionsprintfsscanf$AttributesCreateEnterExitLeaveMoveThread_snprintf_vsnprintfclosesocket
                                                  • String ID: %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).$%s.Detected process "%S" sending an IRC packet to server %s:%d.$%s:%d$JOIN$JOIN %255s$PRIVMSG$PRIVMSG %255s$block$cnc$pdef
                                                  • API String ID: 1085873876-1467418891
                                                  • Opcode ID: 98a4970d30cb470a4f5f76560e654b898e4d0f1c81b110138c59a2f067e9bcb1
                                                  • Instruction ID: 77e00c6daaf7bc4152c0428adea2b398e0992e2295008cad7b433a367a3a3b01
                                                  • Opcode Fuzzy Hash: 98a4970d30cb470a4f5f76560e654b898e4d0f1c81b110138c59a2f067e9bcb1
                                                  • Instruction Fuzzy Hash: 8D513A71B002147BDB20AB559C86BEF77B8EB54744F91042BFD08E2241E678E9D4C6AD
                                                  Function 00420050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 135stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00420071
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00420080
                                                  • lstrlenA.KERNEL32(00000000), ref: 004200AB
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 004200B6
                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 004200CB
                                                  • lstrlenA.KERNEL32(00000000), ref: 004200D2
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 004200E3
                                                  • strtok.MSVCRT ref: 004200F9
                                                  • strstr.MSVCRT ref: 00420117
                                                  • strstr.MSVCRT ref: 00420129
                                                  • lstrcatA.KERNEL32(00000000,00422B84), ref: 00420141
                                                  • _memicmp.MSVCRT ref: 0042014E
                                                  • lstrcatA.KERNEL32(00000000,Content-Length: ), ref: 00420160
                                                  • _snprintf.MSVCRT ref: 00420177
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0042018A
                                                  • strtok.MSVCRT ref: 00420193
                                                  • lstrcatA.KERNEL32(00000000,), ref: 004201AB
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 004201B2
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004201BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$Heap$Alloclstrlenstrstrstrtok$FreeProcess_memicmp_snprintflstrcpymemset
                                                  • String ID: $Content-Length:
                                                  • API String ID: 4006885983-3599722475
                                                  • Opcode ID: 2799c8a4412088bba52c46ee9d50e90aee2a9c7ef121078a8627263225594d1d
                                                  • Instruction ID: c2667623e3e8a6590669761278c44390ef4232e0c3921bb16acf684b25a9311e
                                                  • Opcode Fuzzy Hash: 2799c8a4412088bba52c46ee9d50e90aee2a9c7ef121078a8627263225594d1d
                                                  • Instruction Fuzzy Hash: BC41293170032877E720AF60BC41FBF77AC9F58715F800166FD08A2242E7FD9A518AA9
                                                  Function 0041A310 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 127stringfilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041A335
                                                  • memset.MSVCRT ref: 0041A34F
                                                  • memset.MSVCRT ref: 0041A369
                                                  • _vsnprintf.MSVCRT ref: 0041A382
                                                  • sprintf.MSVCRT ref: 0041A39A
                                                  • lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB,%s.%s,blk,?,?,000001FE,00420A8E), ref: 0041A3AD
                                                  • _snprintf.MSVCRT ref: 0041A3CC
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB), ref: 0041A3DB
                                                  • sprintf.MSVCRT ref: 0041A3EC
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A3FB
                                                  • lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A404
                                                  • EnterCriticalSection.KERNEL32(0045AC34,?,?,00000000), ref: 0041A436
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0041A452
                                                  • LeaveCriticalSection.KERNEL32(0045AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A464
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0041A484
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A48B
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A496
                                                  • LeaveCriticalSection.KERNEL32(0045AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A4A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CriticalSectionmemset$FileLeavesprintf$CloseCreateEnterHandleSleepWrite_snprintf_vsnprintf
                                                  • String ID: %d.$30e4*ga1$\\.\pipe\%08x_ipc
                                                  • API String ID: 4010528547-1120921377
                                                  • Opcode ID: 87c31d9b6a67dc0af00d9579153ecac463e2e5fe5bc2a5fa7c35c1f5b809762a
                                                  • Instruction ID: 5f0f9bb02480c8ed07180d71476973b144bc9f9e0cbd2b2adea27e3e1242d95b
                                                  • Opcode Fuzzy Hash: 87c31d9b6a67dc0af00d9579153ecac463e2e5fe5bc2a5fa7c35c1f5b809762a
                                                  • Instruction Fuzzy Hash: 8F411DB57402187BD720E791EC46FFA736CDF88705F804496F708E20D1D6B81A858B6D
                                                  Function 004201E0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 189memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00420202
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00420213
                                                  • EnterCriticalSection.KERNEL32(0045B4E4), ref: 00420223
                                                  • strstr.MSVCRT ref: 00420243
                                                  • lstrlenA.KERNEL32(00000000), ref: 00420254
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0042025F
                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 00420272
                                                  • strstr.MSVCRT ref: 00420281
                                                  • _snprintf.MSVCRT ref: 004202C8
                                                  • strstr.MSVCRT ref: 004202EF
                                                  • atoi.MSVCRT ref: 00420322
                                                  • lstrlenA.KERNEL32(00000000), ref: 00420386
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004203E4
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004203EE
                                                  • LeaveCriticalSection.KERNEL32(0045B4E4), ref: 004203FD
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0042041F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$Freestrstr$CriticalSectionlstrlen$AllocEnterLeaveProcess_snprintfatoilstrcpymemset
                                                  • String ID: $%s.%s hijacked!$%s=$http$httpi$httpspread$int$msg
                                                  • API String ID: 2097228407-1593535274
                                                  • Opcode ID: 59221efbdc7902b1dc9be52bee1ab2025174389d4270490fcecb6e748d7fb7c9
                                                  • Instruction ID: c2b0b7ae2f474fb596df15105377cd79075674f543348b557d275e10ae39c86f
                                                  • Opcode Fuzzy Hash: 59221efbdc7902b1dc9be52bee1ab2025174389d4270490fcecb6e748d7fb7c9
                                                  • Instruction Fuzzy Hash: 8C51FC71B40325ABDB10DB61AC45BBF77B8EF44714F90406BFD04E2242DAB8AD5187A9
                                                  Function 0041D220 Relevance: 34.7, APIs: 11, Strings: 12, Instructions: 209stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: strstrstrtok$lstrcmplstrlen
                                                  • String ID: WB$001$332$376$433$JOIN$KCIK %s$MOTD$PING$PPNG %s$PPPPMSG$SEND %s %s
                                                  • API String ID: 4048585210-2967028612
                                                  • Opcode ID: 7137c7796785d5d7c098127b8a3631ec81f63c32a1ff1053455280231947c6da
                                                  • Instruction ID: 9d72200ebbbdfbb388a95241e91480dba34fd4e4b574fb9accea10bfff0b4945
                                                  • Opcode Fuzzy Hash: 7137c7796785d5d7c098127b8a3631ec81f63c32a1ff1053455280231947c6da
                                                  • Instruction Fuzzy Hash: 0A511BF6F5021926D710BA29BC42FFA736CDB94319F5041ABFC08D2202F67DE89546E9
                                                  Function 0041AE00 Relevance: 34.7, APIs: 23, Instructions: 165stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,00417CC2,00000000,00422914,?,?,?,?,?,?), ref: 0041AE11
                                                  • HeapAlloc.KERNEL32(?,00000008,00000001,?,00417CC2,00000000,00422914,?,?,?,?,?,?,?,00000000), ref: 0041AE23
                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,?,00000000), ref: 0041AE41
                                                  • strstr.MSVCRT ref: 0041AE59
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0041AE70
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0041AE77
                                                  • lstrcatA.KERNEL32(00000000,00422B54), ref: 0041AE7F
                                                  • strtok.MSVCRT ref: 0041AE8E
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041AEA1
                                                  • _strnicmp.MSVCRT ref: 0041AEA6
                                                  • strtok.MSVCRT ref: 0041AEB9
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041AED5
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041AEEB
                                                  • strstr.MSVCRT ref: 0041AF10
                                                  • lstrlenA.KERNEL32(00000001), ref: 0041AF20
                                                  • lstrlenA.KERNEL32(00000001), ref: 0041AF27
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041AF2B
                                                  • lstrlenA.KERNEL32(00000001), ref: 0041AF3D
                                                  • lstrcpyA.KERNEL32(?,00000001), ref: 0041AF58
                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0041AF5F
                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0041AF6B
                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,00000001), ref: 0041AF82
                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,00000001), ref: 0041AF91
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Free$lstrcpy$Allocstrstrstrtok$??2@_strnicmplstrcat
                                                  • String ID:
                                                  • API String ID: 3119447416-0
                                                  • Opcode ID: 4f8e455aa0db15df93855d24edd39d6586f805ff140c42f3592630f877865c0e
                                                  • Instruction ID: 050aa950c22c30c8377e8ba840db6c00c4c013c6aa8900c7dc12b7f3192420d3
                                                  • Opcode Fuzzy Hash: 4f8e455aa0db15df93855d24edd39d6586f805ff140c42f3592630f877865c0e
                                                  • Instruction Fuzzy Hash: 7241DF71641314ABD7209F65AC81FAB37A8EF49701F50412AFA0497351DA78ED228BAA
                                                  Function 00417C00 Relevance: 33.4, APIs: 7, Strings: 12, Instructions: 175stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 00417C62
                                                  • _stricmp.MSVCRT(?,cPanel,blog,%s-%s-%s,?,?,00000000), ref: 00417D58
                                                  • _stricmp.MSVCRT(00000000,WHM), ref: 00417D71
                                                  • _stricmp.MSVCRT(?,WHCMS), ref: 00417D8A
                                                  • _stricmp.MSVCRT(?,Directadmin), ref: 00417DA3
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A335
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A34F
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A369
                                                    • Part of subcall function 0041A310: _vsnprintf.MSVCRT ref: 0041A382
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A39A
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB,%s.%s,blk,?,?,000001FE,00420A8E), ref: 0041A3AD
                                                    • Part of subcall function 0041A310: _snprintf.MSVCRT ref: 0041A3CC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB), ref: 0041A3DB
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A3EC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A3FB
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A404
                                                    • Part of subcall function 0041A310: EnterCriticalSection.KERNEL32(0045AC34,?,?,00000000), ref: 0041A436
                                                    • Part of subcall function 0041A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0041A452
                                                    • Part of subcall function 0041A310: LeaveCriticalSection.KERNEL32(0045AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A464
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00417E02
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00417E12
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417401
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417419
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 00417431
                                                    • Part of subcall function 004173E0: _snprintf.MSVCRT ref: 00417449
                                                    • Part of subcall function 004173E0: _vsnprintf.MSVCRT ref: 0041746B
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 0041747A
                                                    • Part of subcall function 00417330: memset.MSVCRT ref: 00417351
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(?), ref: 00417369
                                                    • Part of subcall function 00417330: _snprintf.MSVCRT ref: 00417381
                                                    • Part of subcall function 00417330: _vsnprintf.MSVCRT ref: 004173A3
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(00000000), ref: 004173B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$_stricmp$_snprintf_vsnprintf$??3@CriticalSectionsprintf$CreateEnterFileLeavestrstr
                                                  • String ID: %s-%s-%s$%s.%s ->> %s (%s : %s)$%s.%s ->> %s : %s$4)B$Directadmin$WHCMS$WHM$blog$cPanel$ffgrab$httplogin$iegrab
                                                  • API String ID: 3716863481-3491173792
                                                  • Opcode ID: a05b220b9b75201a40153979cd92c1cba99672e9bb8d4ce371086989ef65ec4a
                                                  • Instruction ID: 207b5d509b84be8dc3d6f2ee11ef2c19e57e3058018896d5f4cf62c4894631e1
                                                  • Opcode Fuzzy Hash: a05b220b9b75201a40153979cd92c1cba99672e9bb8d4ce371086989ef65ec4a
                                                  • Instruction Fuzzy Hash: 3851DB74F00229ABDB10EB95EC41EBB737CAF50704B94401FB80593242E679ED82C7AD
                                                  Function 001C4140 Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 195librarycomfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVolumeInformationA.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C4170
                                                    • Part of subcall function 001C40D0: lstrlenA.KERNEL32(?,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,?,?,?,?,?,?,?,?,?,?,?,?,001C45A2), ref: 001C410D
                                                  • LoadLibraryA.KERNEL32(ole32.dll,CoInitializeEx), ref: 001C419A
                                                  • GetProcAddress.KERNEL32(00000000), ref: 001C41A1
                                                  • CoCreateInstance.OLE32(001C3644,00000000,00000001,001C3634,00000000), ref: 001C41DA
                                                  • wsprintfA.USER32 ref: 001C4237
                                                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 001C42FE
                                                  • DeleteFileW.KERNEL32(00000000), ref: 001C4308
                                                  Strings
                                                  • C:\, xrefs: 001C416B
                                                  • /c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit", xrefs: 001C425E
                                                  • CoInitializeEx, xrefs: 001C4190
                                                  • /c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit", xrefs: 001C422B
                                                  • %ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe, xrefs: 001C4273
                                                  • ole32.dll, xrefs: 001C4195
                                                  • %SystemRoot%\system32\SHELL32.dll, xrefs: 001C42A5
                                                  • %SystemRoot%\system32\SHELL32.dll, xrefs: 001C42BC
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$AddressAttributesCreateDeleteInformationInstanceLibraryLoadProcVolumelstrlenwsprintf
                                                  • String ID: %ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe$%SystemRoot%\system32\SHELL32.dll$%SystemRoot%\system32\SHELL32.dll$/c "%%SystemRoot%%\explorer.exe %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"$/c "start %%cd%%%s & attrib -s -h %%cd%%%s & xcopy /F /S /Q /H /R /Y %%cd%%%s %%temp%%\%s\ & attrib +s +h %%cd%%%s & start %%temp%%\%s\%s & exit"$C:\$CoInitializeEx$ole32.dll
                                                  • API String ID: 2929663616-3322145631
                                                  • Opcode ID: f5afa79bcc89609b2ec275bbefc702ad9b90709d84f4626e6037df49b4bc88cc
                                                  • Instruction ID: 29a13a18d021c3a5d2736009b1823d54c8086330363d3b0904035708088c8e36
                                                  • Opcode Fuzzy Hash: f5afa79bcc89609b2ec275bbefc702ad9b90709d84f4626e6037df49b4bc88cc
                                                  • Instruction Fuzzy Hash: F5712DB5A40209BFD704CF94DC96FAE77B9BF99700F108148F615AB290D770EA81CBA4
                                                  Function 004125D0 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 191stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sscanf.MSVCRT ref: 0041260F
                                                    • Part of subcall function 004207D0: lstrlenA.KERNEL32(*&A,?,?,00000000,?,0041262A,?,00427008), ref: 004207DC
                                                    • Part of subcall function 004207D0: lstrcpyA.KERNEL32(00000000,*&A,?,00427008), ref: 004207F9
                                                  • strstr.MSVCRT ref: 0041264F
                                                    • Part of subcall function 00417700: memset.MSVCRT ref: 0041771E
                                                    • Part of subcall function 00417700: _snprintf.MSVCRT ref: 00417738
                                                    • Part of subcall function 00417700: lstrlenA.KERNEL32(00000000), ref: 00417747
                                                  • atoi.MSVCRT ref: 004126FB
                                                  • atoi.MSVCRT ref: 00412713
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041276B
                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0041278C
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004127F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$atoi$FreeHeap_snprintflstrcpymemsetsscanfstrstr
                                                  • String ID: %s.p10-> Message hijacked!$%s.p10-> Message to %s hijacked!$%s.p21-> Message hijacked!$CAL $CAL %d %256s$MSG $MSG $SDG $X-MMS-IM-Format:$baddr$msn$msnint$msnmsg$msnu
                                                  • API String ID: 1527159713-2027340701
                                                  • Opcode ID: db2f504225a4d1947737c326d1a740a23be4647e5576b2e7171f15a2b2a0223a
                                                  • Instruction ID: 8ded01ee25e401127372f08055e883fd5dd2f7ccc560b77aff83cf68161d446e
                                                  • Opcode Fuzzy Hash: db2f504225a4d1947737c326d1a740a23be4647e5576b2e7171f15a2b2a0223a
                                                  • Instruction Fuzzy Hash: 06515C71F4022477CB306A957D82AEF73A4EB50715FA0406FFC18D2382D6BD99E1869E
                                                  Function 0041E590 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 141stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041E5B0
                                                  • EnterCriticalSection.KERNEL32(0045B3C8), ref: 0041E5C9
                                                  • strtok.MSVCRT ref: 0041E5FE
                                                  • strstr.MSVCRT ref: 0041E617
                                                  • strstr.MSVCRT ref: 0041E62D
                                                  • strstr.MSVCRT ref: 0041E642
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041E655
                                                  • lstrlenA.KERNEL32(00000000), ref: 0041E65B
                                                  • lstrcpyA.KERNEL32(00000000,00421335), ref: 0041E678
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 0041E687
                                                    • Part of subcall function 00417500: lstrlenA.KERNEL32(?), ref: 0041752B
                                                    • Part of subcall function 00417500: _snprintf.MSVCRT ref: 00417547
                                                    • Part of subcall function 00417500: _vsnprintf.MSVCRT ref: 00417569
                                                    • Part of subcall function 00417500: lstrcmpA.KERNEL32(?,bdns), ref: 0041758B
                                                    • Part of subcall function 00417500: StrStrIA.SHLWAPI(?,00000000), ref: 0041759F
                                                    • Part of subcall function 00417500: lstrlenA.KERNEL32(?), ref: 004175B9
                                                  • strtok.MSVCRT ref: 0041E6CF
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041E71E
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041E72D
                                                  • LeaveCriticalSection.KERNEL32(0045B3C8), ref: 0041E73A
                                                    • Part of subcall function 0041AA10: memset.MSVCRT ref: 0041AA31
                                                    • Part of subcall function 0041AA10: lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0041AA45
                                                    • Part of subcall function 0041AA10: InternetOpenA.WININET(00000000,?,?,?,?), ref: 0041AA60
                                                    • Part of subcall function 0041AA10: lstrlenA.KERNEL32(?), ref: 0041AA78
                                                    • Part of subcall function 0041AA10: InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0041AA8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$strstr$CriticalInternetOpenSectionlstrcpymemsetstrtok$??3@EnterFreeHeapLeave_snprintf_vsnprintflstrcmplstrcpyn
                                                  • String ID: [DNS]: Blocked %d domain(s) - Redirected %d domain(s)$bdns$block
                                                  • API String ID: 1940452476-536441337
                                                  • Opcode ID: 6c16c0d12843629ba191ac31a78f2ecda7a86f515101455bc36f2298e9128cf3
                                                  • Instruction ID: 95b0b1ac9a84a61a554701236e843126ee7344b6f1c86e8dd2e7c64a9e9e46f9
                                                  • Opcode Fuzzy Hash: 6c16c0d12843629ba191ac31a78f2ecda7a86f515101455bc36f2298e9128cf3
                                                  • Instruction Fuzzy Hash: CA412A75B403187BD710A7A6AC82DFF77B9EF94704F900157FD04A3242E67D5A8087A9
                                                  Function 001CAA40 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 114registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 001CAA82
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CAA98
                                                  • RegQueryValueExA.ADVAPI32(00000000,WindowsId,00000000,00000000,001D11B8,00000040), ref: 001CAAEB
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CAB03
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateQueryValue
                                                  • String ID: %s\%s$@$Software\WindowsId Manager Reader$WindowsId$WindowsMark
                                                  • API String ID: 2495337196-3824015250
                                                  • Opcode ID: e4d1d076c5c48dc0f3aa71c2be275b84f62f6eb4648b25d1d8465748c0653bbb
                                                  • Instruction ID: 236ad93b32f64867472ddae0c2b1b4cf57a9349caff307c19005c28ff7e2fa62
                                                  • Opcode Fuzzy Hash: e4d1d076c5c48dc0f3aa71c2be275b84f62f6eb4648b25d1d8465748c0653bbb
                                                  • Instruction Fuzzy Hash: 2E4183B5A40218BBD720DB90DC8AFEA7778AB74B01F5041C8B349AA181D7F4EAC48F55
                                                  Function 00411290 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 146threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Filewcsstr$Attributes$ExitMoveThread
                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                  • API String ID: 294512176-1976196219
                                                  • Opcode ID: 29d544eb841588c4ca1089e8bce70bd8f49e72634c3e3b1b5e219f26b4ab42e0
                                                  • Instruction ID: b8cdb9fdd4f43b5d9d4f7f50e52f5c18c259878592dd39dbbac3ccd9f1e3a361
                                                  • Opcode Fuzzy Hash: 29d544eb841588c4ca1089e8bce70bd8f49e72634c3e3b1b5e219f26b4ab42e0
                                                  • Instruction Fuzzy Hash: 9F41157170122ABBE710DF41AC46FEB3358DF28715F54012AFE14922A1E7389D95C6AE
                                                  Function 0041B300 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 129stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,00000208), ref: 0041B312
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0041B319
                                                  • memset.MSVCRT ref: 0041B339
                                                  • memset.MSVCRT ref: 0041B354
                                                  • GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0041B387
                                                  • lstrcpynW.KERNEL32(?,?,00000004), ref: 0041B3A1
                                                  • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B3BB
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0041B3D8
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0041B3F0
                                                  • lstrcatW.KERNEL32(00000000,.exe), ref: 0041B461
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heaplstrlenmemset$AllocDirectoryInformationProcessVolumeWindowslstrcatlstrcpyn
                                                  • String ID: .exe$30e4*ga1$lol$lol.exe
                                                  • API String ID: 1748614950-3879922668
                                                  • Opcode ID: 16b44670f194d33260af315c05dcc6c82b68ae8eef9d72496038a6297256b08c
                                                  • Instruction ID: 7b239ccd28be30ddf640a328714fd6b2ca407242e2758b9bba734c5be45e2b84
                                                  • Opcode Fuzzy Hash: 16b44670f194d33260af315c05dcc6c82b68ae8eef9d72496038a6297256b08c
                                                  • Instruction Fuzzy Hash: 1B412771701228B6C720CB659C05BEFBBB9EF98311F4081A7F918D6251E7788A51C7AD
                                                  Function 0041AA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041AA31
                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0041AA45
                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 0041AA60
                                                  • lstrlenA.KERNEL32(?), ref: 0041AA78
                                                  • InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0041AA8C
                                                  • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 0041AAC0
                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 0041AAE2
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041AB15
                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 0041AB67
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041AB85
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041ABA5
                                                  • InternetCloseHandle.WININET(00000000), ref: 0041ABE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                  • String ID: Mozilla/4.0
                                                  • API String ID: 2392773942-2634101963
                                                  • Opcode ID: ecd47d7082600c5a1b8a5e2e9d469cd70959542c9ac7903056c9ad5ffa313744
                                                  • Instruction ID: 61734efbad243bbfc32b48277b9f39122be7714f2e8c96c2369e0a819c2609ee
                                                  • Opcode Fuzzy Hash: ecd47d7082600c5a1b8a5e2e9d469cd70959542c9ac7903056c9ad5ffa313744
                                                  • Instruction Fuzzy Hash: 64519B71A01205AFD720DF59EC84BAA77E8EF48341F04807EF908D7292D774A995CFA9
                                                  Function 00412220 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00412243
                                                  • WSAStartup.WS2_32(00000202,?), ref: 00412257
                                                    • Part of subcall function 00419300: inet_addr.WS2_32(n"A), ref: 00419308
                                                    • Part of subcall function 00419300: gethostbyname.WS2_32(n"A), ref: 00419313
                                                  • htons.WS2_32(00000050), ref: 00412288
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00412297
                                                  • connect.WS2_32(00000000,?,00000010), ref: 004122AE
                                                  • GetTickCount.KERNEL32 ref: 004122C3
                                                  • GetTickCount.KERNEL32 ref: 004122F4
                                                  • GetTickCount.KERNEL32 ref: 00412307
                                                  • send.WS2_32(00000000,00000000,00000400,00000000), ref: 00412344
                                                  • GetTickCount.KERNEL32 ref: 00412350
                                                  • closesocket.WS2_32(00000000), ref: 00412363
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Startupclosesocketconnectgethostbynamehtonsinet_addrmemsetsendsocket
                                                  • String ID: gfff$i.root-servers.org
                                                  • API String ID: 99835129-3534201491
                                                  • Opcode ID: cfe3a95efd39d63d2d1ef9a2e6696566a5c6d8d4969243a8811bfd44734ec6e5
                                                  • Instruction ID: 1e8ebf6b88c1c8e3b5d28d0c7308c59326020142fd8a80bedc1dc33641b50d7b
                                                  • Opcode Fuzzy Hash: cfe3a95efd39d63d2d1ef9a2e6696566a5c6d8d4969243a8811bfd44734ec6e5
                                                  • Instruction Fuzzy Hash: 92317C71B0021C57DB14E679AD427FFB2A98F84704F44056AFE1CD72C1EAB88D91479A
                                                  Function 00419830 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00419850
                                                  • strtok.MSVCRT ref: 0041986E
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041988B
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 004198A8
                                                  • strtok.MSVCRT ref: 004198B5
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 004198D1
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041999C
                                                  Strings
                                                  • [UDP]: Finished flood on "%s:%d", xrefs: 00419970
                                                  • [UDP]: Starting flood on "%s:%d" for %d second(s), xrefs: 0041993A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                  • String ID: [UDP]: Finished flood on "%s:%d"$[UDP]: Starting flood on "%s:%d" for %d second(s)
                                                  • API String ID: 216847750-2644890838
                                                  • Opcode ID: 1b7a984f4b0bbf7a69fc98b175b9574e556913fcee6969670f422e418110befd
                                                  • Instruction ID: 0868e2adc90a40619fb5ac56214b564f01433ad18c7f51ba863ad22f0adf5d01
                                                  • Opcode Fuzzy Hash: 1b7a984f4b0bbf7a69fc98b175b9574e556913fcee6969670f422e418110befd
                                                  • Instruction Fuzzy Hash: 21314CF27402186BE720A7A1BC46FB737ACEB48709F40017EFF0892242D6789D51CA6D
                                                  Function 004196B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004196D0
                                                  • strtok.MSVCRT ref: 004196EE
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041970B
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 00419728
                                                  • strtok.MSVCRT ref: 00419735
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00419751
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041981C
                                                  Strings
                                                  • [SYN]: Finished flood on "%s:%d", xrefs: 004197F0
                                                  • [SYN]: Starting flood on "%s:%d" for %d second(s), xrefs: 004197BA
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                  • String ID: [SYN]: Finished flood on "%s:%d"$[SYN]: Starting flood on "%s:%d" for %d second(s)
                                                  • API String ID: 216847750-3475151101
                                                  • Opcode ID: 612d6784b82533b41181ca9eedbbb715386848b0c14c9413145e84658aa7a8cf
                                                  • Instruction ID: ccf238211399c117c10b5d2838a4c89e7a9b7a295e5813805513e5f894a4ed08
                                                  • Opcode Fuzzy Hash: 612d6784b82533b41181ca9eedbbb715386848b0c14c9413145e84658aa7a8cf
                                                  • Instruction Fuzzy Hash: CF3118F27402186BE720A7A1BC46FB737ACEB48709F54017AFF0492182D6789D55C6AD
                                                  Function 00420C80 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 100memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32 ref: 00420C89
                                                  • GetModuleFileNameA.KERNEL32(00000000,0045AA28,00000104), ref: 00420C9F
                                                  • GetModuleFileNameW.KERNEL32(00000000,0045A710,00000208), ref: 00420CB0
                                                  • GetWindowsDirectoryA.KERNEL32(0045AB30,00000104), ref: 00420CC0
                                                    • Part of subcall function 004119F0: wcsrchr.MSVCRT ref: 004119F9
                                                  • InitializeCriticalSection.KERNEL32(0045AC34), ref: 00420CE3
                                                  • InitializeCriticalSection.KERNEL32(0045B4E4), ref: 00420CEA
                                                  • MoveFileExW.KERNEL32(0045A710,00000000,00000004), ref: 00420DA5
                                                    • Part of subcall function 0041A150: memset.MSVCRT ref: 0041A170
                                                    • Part of subcall function 0041A150: GetWindowsDirectoryW.KERNEL32(?,00000208,?,?,?), ref: 0041A184
                                                    • Part of subcall function 0041A150: _memicmp.MSVCRT ref: 0041A1C3
                                                  • SetFileAttributesW.KERNEL32(0045A710,00000080), ref: 00420D96
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E9F0,00000000,00000000,00000000), ref: 00420DED
                                                  • CloseHandle.KERNEL32(00000000), ref: 00420DF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$CriticalDirectoryInitializeModuleNameSectionWindows$AttributesCloseCreateHandleHeapMoveProcessThread_memicmpmemsetwcsrchr
                                                  • String ID: %s.%S$brk$ruskill
                                                  • API String ID: 2870590860-2269373653
                                                  • Opcode ID: a5b884eb6e73ca217e7f01215777b6cf2b62008edfe43d42c4ed54a56ddee4e9
                                                  • Instruction ID: 03d29a616c1f3e26cc5129d48c206addfafccef63487a1a791e00453e7cf62d9
                                                  • Opcode Fuzzy Hash: a5b884eb6e73ca217e7f01215777b6cf2b62008edfe43d42c4ed54a56ddee4e9
                                                  • Instruction Fuzzy Hash: 4631C971791310B7D6306BE17C0BF5A3BA0AB15B56FA00533FE01911E3D6BDA066866F
                                                  Function 001C4825 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 001C491E
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 001C4933
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000000), ref: 001C4945
                                                    • Part of subcall function 001C4140: GetVolumeInformationA.KERNEL32(C:\,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C4170
                                                    • Part of subcall function 001C4140: LoadLibraryA.KERNEL32(ole32.dll,CoInitializeEx), ref: 001C419A
                                                    • Part of subcall function 001C4140: GetProcAddress.KERNEL32(00000000), ref: 001C41A1
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 001C497C
                                                  • SetFileAttributesA.KERNEL32(?,00000005), ref: 001C498B
                                                  • FindNextFileA.KERNEL32(000000FF,?), ref: 001C499F
                                                  • wsprintfA.USER32 ref: 001C49C7
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C49DC
                                                  • DeleteFileA.KERNEL32(?), ref: 001C49E9
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C49FF
                                                  • SetFileAttributesA.KERNEL32(?,00000006), ref: 001C4A0E
                                                  • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000006,00000000), ref: 001C4A2A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Attributes$lstrlen$AddressByteCharCopyCreateDeleteFindInformationLibraryLoadMultiNextProcVolumeWidewsprintf
                                                  • String ID: %s\%s
                                                  • API String ID: 1757339674-4073750446
                                                  • Opcode ID: 345c796a3c9d20bf6b1f480505609e10c1f2e9cf8e5673db0a1d0ec49fccb510
                                                  • Instruction ID: 83f742c06495b27ab9048460db2061c147ce41079a0649ccfc32711cabb88dd6
                                                  • Opcode Fuzzy Hash: 345c796a3c9d20bf6b1f480505609e10c1f2e9cf8e5673db0a1d0ec49fccb510
                                                  • Instruction Fuzzy Hash: 1F318D72944218BBEB20CBA0DC48FDA7B38BB19700F0445CAB209A6091EB70E6D4CF50
                                                  Function 001C7C60 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 84sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001C7D90: LoadLibraryW.KERNELBASE ref: 001C7DB3
                                                  • SetLastError.KERNEL32(00000000), ref: 001C7C6D
                                                  • CreateMutexA.KERNEL32(00000000,00000000,MonitorSvchost_MUTEX_OBJECT_RELEASED_c000900), ref: 001C7C7C
                                                  • GetLastError.KERNEL32 ref: 001C7C82
                                                  • ExitProcess.KERNEL32 ref: 001C7C91
                                                  • GetProcessVersion.KERNEL32(?), ref: 001C7CAB
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,001D1628), ref: 001C7CF6
                                                  • lstrcatA.KERNEL32(001D1628,\svchost.exe), ref: 001C7D06
                                                  • CreateProcessA.KERNEL32(001D1628,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 001C7D4E
                                                  • Sleep.KERNEL32(000003E8), ref: 001C7D75
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateErrorLast$ExitFolderLibraryLoadMutexPathSleepVersionlstrcat
                                                  • String ID: %$D$MonitorSvchost_MUTEX_OBJECT_RELEASED_c000900$\svchost.exe
                                                  • API String ID: 1779936777-49527950
                                                  • Opcode ID: 59b0f8bba9e60ddb16a4011962f6dc639c11101ae6cc5376a95dedb18a949aad
                                                  • Instruction ID: 6e6582d3606a3e0e5b0c370db2e1f562160e45a38deacb013cce7ffc665bb29c
                                                  • Opcode Fuzzy Hash: 59b0f8bba9e60ddb16a4011962f6dc639c11101ae6cc5376a95dedb18a949aad
                                                  • Instruction Fuzzy Hash: 8B218171BC5344BBE710ABA0AC4BFAD3B35AB64B01F140008F705AA5C2D7F5D9408B5A
                                                  Function 001C7B10 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 84sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001C7D90: LoadLibraryW.KERNELBASE ref: 001C7DB3
                                                  • SetLastError.KERNEL32(00000000), ref: 001C7B20
                                                  • CreateMutexA.KERNEL32(00000000,00000000,MonitorPaint_MUTEX_OBJECT_RELEASED_c000900), ref: 001C7B2F
                                                  • GetLastError.KERNEL32 ref: 001C7B35
                                                  • ExitProcess.KERNEL32 ref: 001C7B44
                                                  • GetProcessVersion.KERNEL32(?), ref: 001C7B5E
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,001D1628), ref: 001C7BB2
                                                  • lstrcatA.KERNEL32(001D1628,\mspaint.exe), ref: 001C7BC2
                                                  • CreateProcessA.KERNEL32(001D1628,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 001C7C19
                                                  • Sleep.KERNEL32(000003E8), ref: 001C7C46
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$CreateErrorLast$ExitFolderLibraryLoadMutexPathSleepVersionlstrcat
                                                  • String ID: %$D$MonitorPaint_MUTEX_OBJECT_RELEASED_c000900$\mspaint.exe
                                                  • API String ID: 1779936777-1747214965
                                                  • Opcode ID: 89b6e55cc6811aee38b13ab11980416bfa0f289f9144c8bdd45f195a7861101a
                                                  • Instruction ID: dc4c1ea5df93f657c6cb955c3cfec2228c8fff96149a81134e0993476f1a06a6
                                                  • Opcode Fuzzy Hash: 89b6e55cc6811aee38b13ab11980416bfa0f289f9144c8bdd45f195a7861101a
                                                  • Instruction Fuzzy Hash: 083183B1BC4304BBE7246BA0AC4BFE93B78AB65B01F144148F709695C2D7F5E9808F59
                                                  Function 001C36F0 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 75threadlibraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001C7D90: LoadLibraryW.KERNELBASE ref: 001C7DB3
                                                  • GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process), ref: 001C3705
                                                  • GetProcAddress.KERNEL32(00000000), ref: 001C370C
                                                  • SetLastError.KERNEL32(00000000), ref: 001C3719
                                                  • CreateMutexA.KERNEL32(00000000,00000000,AAVkillllerrrsdadc000900), ref: 001C3728
                                                  • GetLastError.KERNEL32 ref: 001C372E
                                                  • ExitProcess.KERNEL32 ref: 001C373D
                                                  • GetCurrentProcessId.KERNEL32 ref: 001C3743
                                                  • CreateThread.KERNEL32(00000000,00000000,001C36A0,00000000,00000000,00000000), ref: 001C375D
                                                  • CreateThread.KERNEL32(00000000,00000000,001C3CD0,00000000,00000000,00000000), ref: 001C37F6
                                                  • CreateThread.KERNEL32(00000000,00000000,001C3B60,00000000,00000000,00000000), ref: 001C380E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Create$Thread$ErrorLastProcess$AddressCurrentExitHandleLibraryLoadModuleMutexProc
                                                  • String ID: AAVkillllerrrsdadc000900$IsWow64Process$kernel32.dll
                                                  • API String ID: 287773984-3869063687
                                                  • Opcode ID: b1bc607c7680feeab9fcfbc7cf6e52c166ad05a0fb3da6fbedc7a598219442e3
                                                  • Instruction ID: ec33dd4e757e953a1a04270e69f13db8f4182bc5a3a198038c3d9c771d77ba38
                                                  • Opcode Fuzzy Hash: b1bc607c7680feeab9fcfbc7cf6e52c166ad05a0fb3da6fbedc7a598219442e3
                                                  • Instruction Fuzzy Hash: 62217174AC6740BFF7116BF0EC0BF183B61A725B01F20411AF71569AE2D7F4E5808A19
                                                  Function 0041A880 Relevance: 22.6, APIs: 2, Strings: 13, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041A89E
                                                    • Part of subcall function 00417790: memset.MSVCRT ref: 004177AE
                                                    • Part of subcall function 00417790: memset.MSVCRT ref: 004177C8
                                                    • Part of subcall function 00417790: lstrcpyA.KERNEL32(00000000,off), ref: 004177F0
                                                    • Part of subcall function 00417790: _snprintf.MSVCRT ref: 0041780D
                                                    • Part of subcall function 00417790: lstrlenA.KERNEL32(00000000), ref: 00417822
                                                    • Part of subcall function 00417790: lstrlenA.KERNEL32(00000000), ref: 00417858
                                                  • _snprintf.MSVCRT ref: 0041A936
                                                    • Part of subcall function 00417500: lstrlenA.KERNEL32(?), ref: 0041752B
                                                    • Part of subcall function 00417500: _snprintf.MSVCRT ref: 00417547
                                                    • Part of subcall function 00417500: _vsnprintf.MSVCRT ref: 00417569
                                                    • Part of subcall function 00417500: lstrcmpA.KERNEL32(?,bdns), ref: 0041758B
                                                    • Part of subcall function 00417500: StrStrIA.SHLWAPI(?,00000000), ref: 0041759F
                                                    • Part of subcall function 00417500: lstrlenA.KERNEL32(?), ref: 004175B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintfmemset$_vsnprintflstrcmplstrcpy
                                                  • String ID: bdns$ffgrab$ftpgrab$http$httpi$iegrab$int$msg$msn$msnu$pdef$popgrab$usbi
                                                  • API String ID: 3955240783-2907616027
                                                  • Opcode ID: 45f864885e6d9010d1a1bd47b2b098a8a2351f15ecf19d8cf73bce0df37c965e
                                                  • Instruction ID: c0802ad5878581e489621197d6c2f18b21d285e57ac503ac5be195ef9f7ad08c
                                                  • Opcode Fuzzy Hash: 45f864885e6d9010d1a1bd47b2b098a8a2351f15ecf19d8cf73bce0df37c965e
                                                  • Instruction Fuzzy Hash: EF118470BE532635EA21FAA17CC3FD926350F50F19FA0005B7618790C399ED31C0816E
                                                  Function 004117E0 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041180E
                                                  • memset.MSVCRT ref: 00411829
                                                  • wcsstr.MSVCRT ref: 00411842
                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00411888
                                                  • strstr.MSVCRT ref: 00411898
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000208), ref: 004118B7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 00411905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstrwcsstr
                                                  • String ID: %s.%S$bdns$block$brk$rdns
                                                  • API String ID: 695720605-4000218262
                                                  • Opcode ID: c35888f25fdc8b41692a22d2b1ff956bb7d0080adadccc5c3d0790e690f42e6c
                                                  • Instruction ID: 6a2912c137ff01cb083720f4a09d8de33a4a0e4b616272a2819dc893b15a2a48
                                                  • Opcode Fuzzy Hash: c35888f25fdc8b41692a22d2b1ff956bb7d0080adadccc5c3d0790e690f42e6c
                                                  • Instruction Fuzzy Hash: CF514BB1B00218BBDB20EB55EC06FEB37689F55714F40412BFE10D22A1E7789984C7A9
                                                  Function 0041EE40 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142stringcomCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(00423634,00000000,00000001,00423614,?), ref: 0041EE5B
                                                  • memset.MSVCRT ref: 0041EE81
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0041EE9A
                                                  • lstrcatA.KERNEL32(00000000,00422C78), ref: 0041EEAE
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0041EEBB
                                                  • memset.MSVCRT ref: 0041EED5
                                                  • SHGetFileInfoA.SHELL32(?,00000000,00000000,00000160,00001000), ref: 0041EEF4
                                                  • memset.MSVCRT ref: 0041EF68
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0041EF7B
                                                  • lstrcatA.KERNEL32(00000000,00422F5C), ref: 0041EF89
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0041EFA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcatmemset$lstrcpy$ByteCharCreateFileInfoInstanceMultiWide
                                                  • String ID: shell32.dll
                                                  • API String ID: 3196525290-3366042328
                                                  • Opcode ID: 786e83b511d6e032bcc1a266f821778d8f24c32384119bc5469052f6e2e389ed
                                                  • Instruction ID: 61d73f430d11c41f969b38cea77bfdda0818ef6bac1ebdb25e7c86bba03adabd
                                                  • Opcode Fuzzy Hash: 786e83b511d6e032bcc1a266f821778d8f24c32384119bc5469052f6e2e389ed
                                                  • Instruction Fuzzy Hash: ED514E75B00218AFDB50DB94DC81FDAB3B8AF8C700F504599F608AB290DBB4AE45CB64
                                                  Function 001C7DD0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessVersion.KERNEL32(?), ref: 001C7DED
                                                  • SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001C7E81
                                                  • lstrcatW.KERNEL32(?,\charmap.exe), ref: 001C7E93
                                                  • SHGetFolderPathW.SHELL32(00000000,00000026,00000000,00000000,?), ref: 001C7EDC
                                                  • lstrcatW.KERNEL32(?,\Windows Media Player\wmprph.exe), ref: 001C7EEE
                                                  • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000001,08000000,00000000,00000000,00000044,?), ref: 001C7F14
                                                  • ExitProcess.KERNEL32 ref: 001C7F2F
                                                    • Part of subcall function 001CA860: GetCurrentProcess.KERNEL32(00000000), ref: 001CA878
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process$FolderPathlstrcat$CreateCurrentExitVersion
                                                  • String ID: &$D$WindowsSecondaryDesktop$\Windows Media Player\wmprph.exe$\charmap.exe
                                                  • API String ID: 468906602-2392492338
                                                  • Opcode ID: 6e0004c8c1268478b1a135f063acaaecf94bcf63d7a6fce691669a8904459b45
                                                  • Instruction ID: 65cc9fed7c77825612040fe4c76d36a1cc7932ce8b90cb292307369010876eca
                                                  • Opcode Fuzzy Hash: 6e0004c8c1268478b1a135f063acaaecf94bcf63d7a6fce691669a8904459b45
                                                  • Instruction Fuzzy Hash: 4D317875A44308BBEB10DB91DD4AFED7778AB24B04F104248F305AA1D1EBF5DA84CB56
                                                  Function 004110A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 102stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004110C0
                                                  • lstrcmpW.KERNEL32(?,0045ADA0), ref: 004110D7
                                                  • lstrcmpW.KERNEL32(?,0045A710), ref: 0041111D
                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00411127
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 00411161
                                                  • lstrcpyA.KERNEL32(00426D88,00000000), ref: 00411179
                                                  • lstrcpyA.KERNEL32(00000000,00421335), ref: 00411187
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 004111A0
                                                  • lstrcpyA.KERNEL32(00426E90,00000000), ref: 004111B3
                                                    • Part of subcall function 00417700: memset.MSVCRT ref: 0041771E
                                                    • Part of subcall function 00417700: _snprintf.MSVCRT ref: 00417738
                                                    • Part of subcall function 00417700: lstrlenA.KERNEL32(00000000), ref: 00417747
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharMultiWidelstrcmpmemset$FileMove_snprintflstrlen
                                                  • String ID: %s.%S$pdef$ruskill
                                                  • API String ID: 1230166232-1410347113
                                                  • Opcode ID: 303d8b16737d413bbc7e0fa645610c62791f072064233ad325e8950d0d0698eb
                                                  • Instruction ID: c74216a119264e80521a3c2091edf493f2cfab07dc1351b85669001576e21234
                                                  • Opcode Fuzzy Hash: 303d8b16737d413bbc7e0fa645610c62791f072064233ad325e8950d0d0698eb
                                                  • Instruction Fuzzy Hash: 2F31F5717403287BE720DB549C82FEBB36C9B99B10F500157FB44E61D0DBB4AD8086AD
                                                  Function 004173E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _vsnprintflstrlenmemset$_memicmp_snprintf
                                                  • String ID: %s.%s$%s_$blk$block
                                                  • API String ID: 3657324510-3589362310
                                                  • Opcode ID: 6769055947fdbd95d064ee06582104734b6d1c22f3dec07f16983a2a7cdb3dc2
                                                  • Instruction ID: 08d89acb49e200f8760b2a7034457717d2872a4df4c9b6e9c077b7ad5fa5731c
                                                  • Opcode Fuzzy Hash: 6769055947fdbd95d064ee06582104734b6d1c22f3dec07f16983a2a7cdb3dc2
                                                  • Instruction Fuzzy Hash: 562124B274021D7BE710EA59EC82FFB33ACDF44718F4445AEBE1893142E6789E454768
                                                  Function 00419580 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: memset$lstrcpy$CountTicksprintfstrtok
                                                  • String ID: %s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42$GET$Mozilla/4.0$POST
                                                  • API String ID: 3318893083-109246470
                                                  • Opcode ID: 1020b1168bcd2cd1d797727fc217f1e17d7e0213e5c090947775c267375d9659
                                                  • Instruction ID: 4c5c624fa797c7b9af3c7efab0ab22db48d94e688c2af79701701eb36296595f
                                                  • Opcode Fuzzy Hash: 1020b1168bcd2cd1d797727fc217f1e17d7e0213e5c090947775c267375d9659
                                                  • Instruction Fuzzy Hash: 9D213FF5B401286AD724E755DD42FEA736C9FA8704F40058BF308A2181D6F8AFC58A7D
                                                  Function 001C9510 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 63registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(00000000,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001C953F
                                                  • GetLastError.KERNEL32 ref: 001C9545
                                                  • RegSetValueExA.ADVAPI32(?,DisableLocalMachineRun,00000000,00000004,00000001,00000004), ref: 001C9562
                                                  • RegSetValueExA.ADVAPI32(?,DisableCurrentUserRun,00000000,00000004,00000001,00000004), ref: 001C957B
                                                  • RegSetValueExA.ADVAPI32(?,DisableLocalMachineRunOnce,00000000,00000004,00000001,00000004), ref: 001C9594
                                                  • RegSetValueExA.ADVAPI32(?,DisableCurrentUserRunOnce,00000000,00000004,00000001,00000004), ref: 001C95AD
                                                  • RegCloseKey.ADVAPI32(?), ref: 001C95B7
                                                  Strings
                                                  • DisableCurrentUserRun, xrefs: 001C9572
                                                  • DisableLocalMachineRun, xrefs: 001C9559
                                                  • DisableLocalMachineRunOnce, xrefs: 001C958B
                                                  • DisableCurrentUserRunOnce, xrefs: 001C95A4
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 001C9536
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseCreateErrorLast
                                                  • String ID: DisableCurrentUserRun$DisableCurrentUserRunOnce$DisableLocalMachineRun$DisableLocalMachineRunOnce$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                  • API String ID: 4022192774-437252294
                                                  • Opcode ID: e87d4951b7c18f73a50c417145edf2cdb96cf757d3cef4557b87cc76810a68d8
                                                  • Instruction ID: 0e5fdaee66295624439af6e89d1d5aabc5391b996fb212e7fa40c7401455ff27
                                                  • Opcode Fuzzy Hash: e87d4951b7c18f73a50c417145edf2cdb96cf757d3cef4557b87cc76810a68d8
                                                  • Instruction Fuzzy Hash: 8211FBB5A80308BBEB20DBD0CC4AFBE7B39AB44B00F10455CB721AA1D1D7B4E594DB94
                                                  Function 001C95D0 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 41registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000,001C92D2,80000002), ref: 001C95D8
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 001C9603
                                                  • GetLastError.KERNEL32 ref: 001C9609
                                                  • RegDeleteValueA.ADVAPI32(?,DisableLocalMachineRun), ref: 001C961C
                                                  • RegDeleteValueA.ADVAPI32(?,DisableCurrentUserRun), ref: 001C962B
                                                  • RegDeleteValueA.ADVAPI32(?,DisableLocalMachineRunOnce), ref: 001C963A
                                                  • RegDeleteValueA.ADVAPI32(?,DisableCurrentUserRunOnce), ref: 001C9649
                                                  Strings
                                                  • DisableCurrentUserRun, xrefs: 001C9622
                                                  • DisableLocalMachineRun, xrefs: 001C9613
                                                  • DisableLocalMachineRunOnce, xrefs: 001C9631
                                                  • DisableCurrentUserRunOnce, xrefs: 001C9640
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, xrefs: 001C95FA
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: DeleteValue$ErrorLast$Create
                                                  • String ID: DisableCurrentUserRun$DisableCurrentUserRunOnce$DisableLocalMachineRun$DisableLocalMachineRunOnce$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
                                                  • API String ID: 3522162313-437252294
                                                  • Opcode ID: aa928d96a843f7b73191ea372ab46e4ce03d4f493b746853572db2fdb81859d3
                                                  • Instruction ID: 602025f4b4a790805af41bb7a2d42c7d764f3c4667da74f4a0055a41a527bd11
                                                  • Opcode Fuzzy Hash: aa928d96a843f7b73191ea372ab46e4ce03d4f493b746853572db2fdb81859d3
                                                  • Instruction Fuzzy Hash: 93014675A80248BBCB00DFE0DC4AFEA7B79AB19B01F000158B701A6591DBB0E6A18B50
                                                  Function 0041EFE0 Relevance: 19.6, APIs: 13, Instructions: 106stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcmp$AttributesFile_snprintfmemsetstrrchr$ExtensionFindPath
                                                  • String ID:
                                                  • API String ID: 1691573101-0
                                                  • Opcode ID: 0efedcb6e9cdd7416358c7b38438caead9214cc3c14ad1fe9e124894aef84c0b
                                                  • Instruction ID: 9a24aa2ac9b298ef5c2324ea6915223440c11bf2f0efc614031b67ab77922bed
                                                  • Opcode Fuzzy Hash: 0efedcb6e9cdd7416358c7b38438caead9214cc3c14ad1fe9e124894aef84c0b
                                                  • Instruction Fuzzy Hash: 1531EC7174432576D720A665ED02FEB73ACAF48741F490076F908A11C2DBFC9D868AB9
                                                  Function 00416F70 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 125stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00416F91
                                                  • lstrcpyA.KERNEL32(00000000,HKCU\), ref: 00416FFE
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 00417017
                                                  • _wcsnicmp.MSVCRT ref: 00417061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_wcsnicmplstrcpymemset
                                                  • String ID: %S%s%s$%s.%s%s$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                  • API String ID: 2911520168-3007424447
                                                  • Opcode ID: fdfea201d5f5502022c423661df2479e0de4188fadc52406e3eb3bcd94d1adb4
                                                  • Instruction ID: 2e4e08dd7a0f9a130e84778ccda52940078916102311858355e611ce34750223
                                                  • Opcode Fuzzy Hash: fdfea201d5f5502022c423661df2479e0de4188fadc52406e3eb3bcd94d1adb4
                                                  • Instruction Fuzzy Hash: 8141A5B1B00218BBCB10CF94AC46FEF7BB8AB5C714F50015BF904E2241E6789A90C7AD
                                                  Function 001C3B60 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105librarymemoryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 001C3B6B
                                                  • GetProcAddress.KERNEL32(?,GetExtendedTcpTable), ref: 001C3B7D
                                                  • GetProcAddress.KERNEL32(?,GetOwnerModuleFromTcpEntry), ref: 001C3B8F
                                                  • GetProcessHeap.KERNEL32 ref: 001C3B98
                                                  • VirtualAlloc.KERNEL32(00000000,0000400C,00003000,00000004), ref: 001C3BAF
                                                  • VirtualAlloc.KERNEL32(00000000,0000400C,00003000,00000004), ref: 001C3BC6
                                                  • SetTcpEntry.IPHLPAPI(0000000C), ref: 001C3C88
                                                  • Sleep.KERNEL32(00000064), ref: 001C3CB3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressAllocProcVirtual$EntryHeapLibraryLoadProcessSleep
                                                  • String ID: GetExtendedTcpTable$GetOwnerModuleFromTcpEntry$iphlpapi.dll
                                                  • API String ID: 3003257622-3337519260
                                                  • Opcode ID: a5c807d033d90fb786cfef3b1758af37176173a66d634f8680ccdd5d428f1883
                                                  • Instruction ID: 2bcebab4f97e6d80abbc580dac8009fd16276b2063af29bf7a02c10b5e2d9512
                                                  • Opcode Fuzzy Hash: a5c807d033d90fb786cfef3b1758af37176173a66d634f8680ccdd5d428f1883
                                                  • Instruction Fuzzy Hash: BC4109B4E40209EFEB18CF94D985FAEBBB1FB49700F208149EA11BB381D7759A40CB55
                                                  Function 00417100 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 102stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _wcsnicmplstrcpymemset
                                                  • String ID: %S%S%S$%s.%S%S$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                  • API String ID: 1531173107-4065158899
                                                  • Opcode ID: 17e154bc09a29da6f7566aafa91453ab464ecdf87ee8dfbafc74c2766105c7dc
                                                  • Instruction ID: 7dd9c1aa54dd9701c2cd5c8078411046088245c1274695f88fee22d10c93bdba
                                                  • Opcode Fuzzy Hash: 17e154bc09a29da6f7566aafa91453ab464ecdf87ee8dfbafc74c2766105c7dc
                                                  • Instruction Fuzzy Hash: ED31EB72B403247AC710DE84AC4AFEB33BCDB58755F500257FD05A2242E678A9D187AD
                                                  Function 00416940 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 72stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004119F0: wcsrchr.MSVCRT ref: 004119F9
                                                    • Part of subcall function 00417700: memset.MSVCRT ref: 0041771E
                                                    • Part of subcall function 00417700: _snprintf.MSVCRT ref: 00417738
                                                    • Part of subcall function 00417700: lstrlenA.KERNEL32(00000000), ref: 00417747
                                                  • strstr.MSVCRT ref: 004169A8
                                                  • lstrcmpA.KERNEL32(00426D88,0045AC50,?,?,?,?,?,?), ref: 004169BE
                                                  • SetFileAttributesA.KERNEL32(00426E90,00000080,?,?,?,?,?,?), ref: 004169D2
                                                  • DeleteFileA.KERNEL32(00426E90,?,?,?,?,?,?), ref: 004169DD
                                                  • MoveFileExA.KERNEL32(00426D88,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 004169EC
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A335
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A34F
                                                    • Part of subcall function 0041A310: memset.MSVCRT ref: 0041A369
                                                    • Part of subcall function 0041A310: _vsnprintf.MSVCRT ref: 0041A382
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A39A
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB,%s.%s,blk,?,?,000001FE,00420A8E), ref: 0041A3AD
                                                    • Part of subcall function 0041A310: _snprintf.MSVCRT ref: 0041A3CC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,004174EB), ref: 0041A3DB
                                                    • Part of subcall function 0041A310: sprintf.MSVCRT ref: 0041A3EC
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A3FB
                                                    • Part of subcall function 0041A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0041A404
                                                    • Part of subcall function 0041A310: EnterCriticalSection.KERNEL32(0045AC34,?,?,00000000), ref: 0041A436
                                                    • Part of subcall function 0041A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0041A452
                                                    • Part of subcall function 0041A310: LeaveCriticalSection.KERNEL32(0045AC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A464
                                                  Strings
                                                  • pdef, xrefs: 00416986
                                                  • autorun.inf, xrefs: 00416970
                                                  • %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!, xrefs: 00416A06
                                                  • .exe, xrefs: 0041699C
                                                  • %s.Blocked "%S" from creating "%S", xrefs: 00416A24
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Filememset$CriticalSection_snprintfsprintf$AttributesCreateDeleteEnterLeaveMove_vsnprintflstrcmpstrstrwcsrchr
                                                  • String ID: %s.Blocked "%S" from creating "%S"$%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!$.exe$autorun.inf$pdef
                                                  • API String ID: 2285763329-814828592
                                                  • Opcode ID: 78c451892c24ecf2d05ed31fe8c2d047b423f8dc6c2901837ec75100c4e0b8b5
                                                  • Instruction ID: 4a1c53dfa44e6eeb016481d33efca5d2e499926ff52194a7b8f6fd13299400da
                                                  • Opcode Fuzzy Hash: 78c451892c24ecf2d05ed31fe8c2d047b423f8dc6c2901837ec75100c4e0b8b5
                                                  • Instruction Fuzzy Hash: 4111E6797C032033DA2026993D07FCB36594FA1B97F960037BD08F1292D99DE89181AE
                                                  Function 001CA6E0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 55registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CA6EB
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001CA713
                                                  • GetLastError.KERNEL32 ref: 001CA719
                                                  • wsprintfA.USER32 ref: 001CA749
                                                  • lstrlenA.KERNEL32(?), ref: 001CA759
                                                  • RegSetValueExA.ADVAPI32(?,Shell,00000000,00000001,?,?), ref: 001CA780
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CA78A
                                                  Strings
                                                  • "%s" -shell, xrefs: 001CA73D
                                                  • Shell, xrefs: 001CA777
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 001CA70A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon
                                                  • API String ID: 2854385000-819943716
                                                  • Opcode ID: a94af88538b529eeb0b7fbf8c1a693eb9e29d44340c8a44a7c2d817a89a6de5a
                                                  • Instruction ID: f3a192eeaeeaae04f348c640ab0c28fff0ed59808de4faba1a79e176f4ee4dc8
                                                  • Opcode Fuzzy Hash: a94af88538b529eeb0b7fbf8c1a693eb9e29d44340c8a44a7c2d817a89a6de5a
                                                  • Instruction Fuzzy Hash: 76113379A80308BBD720DBA0DC4AFD97B7CAB55700F104198F745A61D1DBB4EAD48F94
                                                  Function 001CB000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 54registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CB00B
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001CB034
                                                  • GetLastError.KERNEL32 ref: 001CB03A
                                                  • wsprintfA.USER32 ref: 001CB06A
                                                  • lstrlenA.KERNEL32(?), ref: 001CB07A
                                                  • RegSetValueExA.ADVAPI32(?,Windows Update,00000000,00000001,?,?), ref: 001CB0A1
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CB0AB
                                                  Strings
                                                  • "%s" -shell, xrefs: 001CB05E
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 001CB02A
                                                  • Windows Update, xrefs: 001CB098
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Software\Microsoft\Windows\CurrentVersion\RunOnce$Windows Update
                                                  • API String ID: 2854385000-4182519842
                                                  • Opcode ID: 60dec7e6ae0f46abc34de5f2ba87158d41f900679e2e4b63ccd3490f382c737d
                                                  • Instruction ID: 22ec5c7d550a3589e5b871fcf69636dc7da8c6c2110c5c47bdece6840df040a0
                                                  • Opcode Fuzzy Hash: 60dec7e6ae0f46abc34de5f2ba87158d41f900679e2e4b63ccd3490f382c737d
                                                  • Instruction Fuzzy Hash: B1113079A80304BBD720DBA0DC4AFDA7B78AB25B00F104198F745A61D1DBF4EAD49F91
                                                  Function 001C5660 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 54filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C568E
                                                  • lstrcatA.KERNEL32(?,\ScreenSaverPro.scr), ref: 001C56A0
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C56B2
                                                  • DeleteFileA.KERNEL32(?), ref: 001C56BF
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C56EA
                                                  • lstrcatA.KERNEL32(?,\temp.bin), ref: 001C56FC
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C570E
                                                  • DeleteFileA.KERNEL32(?), ref: 001C571B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesDeleteFolderPathlstrcat
                                                  • String ID: \ScreenSaverPro.scr$\temp.bin
                                                  • API String ID: 1210350844-1406291079
                                                  • Opcode ID: fbcfcc6e2498197c901f56f7dcff7d290a98397c11a5d14f8e4d42764d06832d
                                                  • Instruction ID: e6764790f7ce2dd48f3e2d5eceeefe38f86565301da54503c3947dc6b3fe65d3
                                                  • Opcode Fuzzy Hash: fbcfcc6e2498197c901f56f7dcff7d290a98397c11a5d14f8e4d42764d06832d
                                                  • Instruction Fuzzy Hash: B41151B55C4308BBE720DBA0DC8AFD97738AB25B01F440884B749D50D1EBF4D6D88B51
                                                  Function 001CB1A0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 54registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CB1AB
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,00000002,00000000,001C94B6,00000000), ref: 001CB1D4
                                                  • GetLastError.KERNEL32 ref: 001CB1DA
                                                  • wsprintfA.USER32 ref: 001CB20A
                                                  • lstrlenA.KERNEL32(?), ref: 001CB21A
                                                  • RegSetValueExA.ADVAPI32(001C94B6,Windows Update,00000000,00000001,?,?), ref: 001CB241
                                                  • RegCloseKey.ADVAPI32(001C94B6), ref: 001CB24B
                                                  Strings
                                                  • "%s" -shell, xrefs: 001CB1FE
                                                  • Windows Update, xrefs: 001CB238
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 001CB1CA
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -shell$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Windows Update
                                                  • API String ID: 2854385000-1476424916
                                                  • Opcode ID: 407f0b2c40db08f5783c6f4739d4d31786791ba4be7dec6feb5b722d0a16ea32
                                                  • Instruction ID: b02c2c32ec08229df32930001287157f330436e4614870fe53bd68536219bd41
                                                  • Opcode Fuzzy Hash: 407f0b2c40db08f5783c6f4739d4d31786791ba4be7dec6feb5b722d0a16ea32
                                                  • Instruction Fuzzy Hash: B0112179A80304BBE720DBA0DC4AFD97B78AB15B01F104198B745A61D1DBB4EAD48F94
                                                  Function 00413C90 Relevance: 16.7, APIs: 11, Instructions: 227filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00413DA4
                                                  • ReadFile.KERNEL32(?,-00427960,00000800,00000000,?,?,?,00000000,000000FF), ref: 00413DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00413E3E
                                                  • ReadFile.KERNEL32(?,00427960,00000800,00000000,?), ref: 00413ED7
                                                  • GetLastError.KERNEL32 ref: 00413EE3
                                                  • GetLastError.KERNEL32 ref: 00413EEA
                                                  • GetLastError.KERNEL32 ref: 00413EF3
                                                  • DisconnectNamedPipe.KERNEL32(?), ref: 00413F68
                                                  • ConnectNamedPipe.KERNEL32(?), ref: 00413F7E
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileNamedPipeRead$ConnectDisconnectMultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 4113577031-0
                                                  • Opcode ID: 86dfb8e90f1c9a9eebe4ce4462107768bbfa958f01d5436b9ad4c542dd212d0a
                                                  • Instruction ID: cb12d48883e702a46451552854a07a51dc024da914479c960d1dad7923070c92
                                                  • Opcode Fuzzy Hash: 86dfb8e90f1c9a9eebe4ce4462107768bbfa958f01d5436b9ad4c542dd212d0a
                                                  • Instruction Fuzzy Hash: 9D91F5B5604319EFD714CF18E8C4FAA77A8FB49305F404669E906C7350C735EA92CBA8
                                                  Function 00419080 Relevance: 16.6, APIs: 2, Strings: 9, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004190A0
                                                    • Part of subcall function 0041A0F0: wcsrchr.MSVCRT ref: 0041A0FA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00419101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememsetwcsrchr
                                                  • String ID: %s.Blocked possible browser exploit pack call on URL '%s'$com$exe$firefox.exe$http$iexplore.exe$pdef$pif$scr
                                                  • API String ID: 519477765-3787805686
                                                  • Opcode ID: 0e65d9f41af3448a5e7d2b72cde8f498399ff5e52a119dcda580dfd83825bb03
                                                  • Instruction ID: 90ebd00926f05b0b70059eed584fc9642d2b0a39aa2794696729d0bb04fbde4a
                                                  • Opcode Fuzzy Hash: 0e65d9f41af3448a5e7d2b72cde8f498399ff5e52a119dcda580dfd83825bb03
                                                  • Instruction Fuzzy Hash: 503127B5A403157BEF20DA50AC0AFE7376C9B14355F00465BFC1892252E679EDE0C7AA
                                                  Function 001CBD10 Relevance: 16.6, APIs: 7, Strings: 4, Instructions: 93stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(00000000,o1xg.org), ref: 001CBD30
                                                  • lstrcmpA.KERNEL32(00000000,oxxtxxt.biz), ref: 001CBD43
                                                  • lstrcmpA.KERNEL32(00000000,oeob.me), ref: 001CBD56
                                                  • lstrcmpA.KERNEL32(00000000,001D2438), ref: 001CBD6D
                                                  • lstrcmpA.KERNEL32(001D2438,impossible), ref: 001CBD81
                                                  • lstrcpyA.KERNEL32(001D2438,00000000), ref: 001CBDD1
                                                  • SetLastError.KERNEL32(00000000), ref: 001CBDF6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcmp$ErrorLastlstrcpy
                                                  • String ID: impossible$o1xg.org$oeob.me$oxxtxxt.biz
                                                  • API String ID: 3502371415-2041036455
                                                  • Opcode ID: 5f35e79fc1e50f61f5bfcad377c9850ff1e88960e0fa52ba386a2dd7eb35dc10
                                                  • Instruction ID: e0bcbfc764560c9ce4af428ffafae17191f3f785df93c508e0cccfe3d886ba57
                                                  • Opcode Fuzzy Hash: 5f35e79fc1e50f61f5bfcad377c9850ff1e88960e0fa52ba386a2dd7eb35dc10
                                                  • Instruction Fuzzy Hash: 71311874A45209EBCB14DFA5E889FAA7BB5BB68705F00811DF919DB790C770D980CFA0
                                                  Function 0041B160 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 69stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00416E9C,00000000,00000000,00000000,?,?,00416E9C), ref: 0041B178
                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00416E9C), ref: 0041B186
                                                  • lstrlenA.KERNEL32(00416E9C,?,?,00416E9C), ref: 0041B18F
                                                  • strstr.MSVCRT ref: 0041B19F
                                                  • strstr.MSVCRT ref: 0041B1B6
                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00416E9C), ref: 0041B1C3
                                                  • HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00416E9C), ref: 0041B1D2
                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00416E9C), ref: 0041B1DC
                                                  • lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00416E9C), ref: 0041B1E5
                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,00416E9C), ref: 0041B1F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Allocstrstr$Freelstrcpyn
                                                  • String ID:
                                                  • API String ID: 1314289781-2344752452
                                                  • Opcode ID: 38918163aaeb1ad430c5e94f884788224a975fd2f767f6b3f3111a3697740cf7
                                                  • Instruction ID: e54fb73aef019e56c3ab38c3a21fb532d687ae644fc38a82533afe956b4b5cb1
                                                  • Opcode Fuzzy Hash: 38918163aaeb1ad430c5e94f884788224a975fd2f767f6b3f3111a3697740cf7
                                                  • Instruction Fuzzy Hash: A011A372B013247BD720ABA59C45FAB77ACEF58751F414026FA04E3211DA78ED018BF8
                                                  Function 001C9660 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 199registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,001C9133,00000000,00000003,?), ref: 001C967C
                                                  • RegEnumValueA.ADVAPI32(?,00000000,?,00000100,00000000,?,?,00000100), ref: 001C9702
                                                  • StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001C976E
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C98BB
                                                  • RegCloseKey.ADVAPI32(?), ref: 001C9955
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseEnumOpenValue
                                                  • String ID: :Zone.Identifier
                                                  • API String ID: 4012628704-2436405130
                                                  • Opcode ID: 847be2e6898da658bbf4d0ff1d4daa0ae3979af8d2bd0cd4d289a7cd8edb2949
                                                  • Instruction ID: 4e74abe356995054ad7ce36dde955b040ee9e3268e3f88d101508cee053db2b2
                                                  • Opcode Fuzzy Hash: 847be2e6898da658bbf4d0ff1d4daa0ae3979af8d2bd0cd4d289a7cd8edb2949
                                                  • Instruction Fuzzy Hash: 55814AB6D4021CABDB24DB90DC89FEAB778AB68304F0445DDE209A6141E7B1DBC4CF95
                                                  Function 0041AC00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memorynetworkstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0041AC1A
                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0041AC3E
                                                  • GetLastError.KERNEL32 ref: 0041AC44
                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0041AC5E
                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0041AC79
                                                  • lstrcmpW.KERNEL32(POST,00000000), ref: 0041AC85
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041AC99
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041ACB2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFreeHttpInfoQuery$ErrorLastlstrcmp
                                                  • String ID: POST
                                                  • API String ID: 770645459-1814004025
                                                  • Opcode ID: bce4cd8a9d9e10e2f8901b8181b632f28e22bc997a111d237b9fd828b7be65aa
                                                  • Instruction ID: da37423a0f391499a70c4f14bf520bf7be0ffe9f058e3cb06dbea46da8f6d3bd
                                                  • Opcode Fuzzy Hash: bce4cd8a9d9e10e2f8901b8181b632f28e22bc997a111d237b9fd828b7be65aa
                                                  • Instruction Fuzzy Hash: 6B21D135601204BBD7309BA5AC88FFB7BBCEB89751F504266FA04E2250E630DD21C7E9
                                                  Function 001CA7A0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CA7AB
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001CA7D3
                                                  • GetLastError.KERNEL32 ref: 001CA7D9
                                                  • wsprintfA.USER32 ref: 001CA809
                                                  • lstrlenA.KERNEL32(?), ref: 001CA819
                                                  • RegSetValueExA.ADVAPI32(?,001D11B8,00000000,00000001,?,?), ref: 001CA840
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CA84A
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001CA7CA
                                                  • "%s" -bind, xrefs: 001CA7FD
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlenwsprintf
                                                  • String ID: "%s" -bind$Software\Microsoft\Windows\CurrentVersion\Run
                                                  • API String ID: 2854385000-1962850063
                                                  • Opcode ID: 225aef4320c3da30901255ef880d9e1ab05ec5599453d8bacb98302e40e101f1
                                                  • Instruction ID: 3deaec821c52edba6354c8cbaa453cddbd1a374940d60d6f97d2df17117d94de
                                                  • Opcode Fuzzy Hash: 225aef4320c3da30901255ef880d9e1ab05ec5599453d8bacb98302e40e101f1
                                                  • Instruction Fuzzy Hash: 08118679A80308BBD720DBA0DC4AFD97B38AB55B00F104198F745A65D1DBF4EAD48F90
                                                  Function 001C7F40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNEL32(C:\log.txt,00000004,00000001,00000000,00000003,00000080,00000000), ref: 001C7F5A
                                                  • CloseHandle.KERNEL32(000000FF), ref: 001C7F6D
                                                  • CreateFileA.KERNEL32(C:\log.txt,00000002,00000001,00000000,00000001,00000080,00000000), ref: 001C7F87
                                                  • WriteFile.KERNEL32(000000FF,001C241C,00000002,?,00000000), ref: 001C7FA1
                                                  • lstrlenA.KERNEL32(000000FF,?,00000000), ref: 001C7FB1
                                                  • WriteFile.KERNEL32(000000FF,000000FF,00000000), ref: 001C7FC0
                                                  • CloseHandle.KERNEL32(000000FF), ref: 001C7FCA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleWrite$lstrlen
                                                  • String ID: C:\log.txt$C:\log.txt
                                                  • API String ID: 2678504728-3239557954
                                                  • Opcode ID: 5ad74cdf2a339ad912de23d39a7aa65ad5dda39ede8a71c0b8015c5eeafc3292
                                                  • Instruction ID: ddb9c836e305cad699b295d2dac69cfcf8d058c01087463f9f534adac030ca41
                                                  • Opcode Fuzzy Hash: 5ad74cdf2a339ad912de23d39a7aa65ad5dda39ede8a71c0b8015c5eeafc3292
                                                  • Instruction Fuzzy Hash: F7111B75680304BBEB24DBE0DC4AFD97B78AB08B11F104158F701AA2C1DAB4E6D08B54
                                                  Function 00419430 Relevance: 15.1, APIs: 10, Instructions: 109networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419300: inet_addr.WS2_32(n"A), ref: 00419308
                                                    • Part of subcall function 00419300: gethostbyname.WS2_32(n"A), ref: 00419313
                                                  • GetTickCount.KERNEL32 ref: 00419467
                                                  • htons.WS2_32(?), ref: 00419490
                                                  • GetTickCount.KERNEL32 ref: 004194BD
                                                  • GetTickCount.KERNEL32 ref: 004194C1
                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 004194F6
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00419511
                                                  • sendto.WS2_32(?,?,00001964,00000000,00000002,00000010), ref: 0041953C
                                                  • Sleep.KERNEL32(00000064,00000002,00000002,00000011), ref: 00419549
                                                  • closesocket.WS2_32(?), ref: 00419559
                                                  • GetTickCount.KERNEL32 ref: 00419564
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleepclosesocketgethostbynamehtonsinet_addrioctlsocketsendtosocket
                                                  • String ID:
                                                  • API String ID: 2400900511-0
                                                  • Opcode ID: af301dfe40dc679e9d1e773f1618bbef5cccfd672fb63ff24cbf23f63670eaf8
                                                  • Instruction ID: 44056818312e4a63b402ec28b01cb88387e7888e2bcb697ebcc784cf0b3b87a2
                                                  • Opcode Fuzzy Hash: af301dfe40dc679e9d1e773f1618bbef5cccfd672fb63ff24cbf23f63670eaf8
                                                  • Instruction Fuzzy Hash: 62318472A001346BD720FBF94846BFEB2D99F88308F420537F915E3191C5788D42C7A9
                                                  Function 0041ACD0 Relevance: 15.1, APIs: 10, Instructions: 107memorynetworkstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041ACF5
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000,?,00000000,?), ref: 0041AD0A
                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0041AD2B
                                                  • GetLastError.KERNEL32 ref: 0041AD31
                                                  • HeapReAlloc.KERNEL32(?,00000008,00000000,?), ref: 0041AD4F
                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0041AD63
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 0041AD80
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0041AD93
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0041ADB3
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0041ADE6
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocInternetOptionQuery$??2@ByteCharErrorFreeLastMultiWidelstrcpymemset
                                                  • String ID:
                                                  • API String ID: 3155763378-0
                                                  • Opcode ID: 2d999acb2c968bdf66fd48da9bb82bf59afe33a9942c866eb2254dd8182563c1
                                                  • Instruction ID: 0c711004174816730d5cd91db296527dfce98d9314f290b3bb18df55a4e7e202
                                                  • Opcode Fuzzy Hash: 2d999acb2c968bdf66fd48da9bb82bf59afe33a9942c866eb2254dd8182563c1
                                                  • Instruction Fuzzy Hash: 6A31E034600314BBE720DB95DC84FEB7BB8EF89711F504259FA04AB290C7B49D91CBA9
                                                  Function 00419330 Relevance: 15.1, APIs: 10, Instructions: 81networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419300: inet_addr.WS2_32(n"A), ref: 00419308
                                                    • Part of subcall function 00419300: gethostbyname.WS2_32(n"A), ref: 00419313
                                                  • htons.WS2_32(?), ref: 0041935D
                                                  • GetTickCount.KERNEL32 ref: 0041936F
                                                  • GetTickCount.KERNEL32 ref: 00419373
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 004193A6
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 004193C1
                                                  • connect.WS2_32(?,?,00000010), ref: 004193DE
                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 004193EB
                                                  • closesocket.WS2_32(?), ref: 004193F8
                                                  • Sleep.KERNEL32(0000004B,?), ref: 00419405
                                                  • GetTickCount.KERNEL32 ref: 00419407
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleep$closesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 1090714710-0
                                                  • Opcode ID: 2e91f0522a01df9fa61683978c8899d0299eac0fe239217e5818bd762e722ce3
                                                  • Instruction ID: 39c1d6721db2e56d252063609dd95b00b3a51d785d47ad6b4baff7f139c2eb03
                                                  • Opcode Fuzzy Hash: 2e91f0522a01df9fa61683978c8899d0299eac0fe239217e5818bd762e722ce3
                                                  • Instruction Fuzzy Hash: AD213B729002286BD720FBB99C45B9EF3A99F48304F42062AE918E3291D6749D82C799
                                                  Function 004189B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004189C5
                                                  • AcquireCredentialsHandleW.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,?,00000000,00000000,?,00000000), ref: 00418A32
                                                  • QueryContextAttributesW.SECUR32(?,00000004,00000001), ref: 00418AC3
                                                  • InitializeSecurityContextW.SECUR32(?,00000000,?,0008C11C,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00418A79
                                                    • Part of subcall function 00418760: FreeContextBuffer.SECUR32(?), ref: 00418774
                                                    • Part of subcall function 00418790: InitializeSecurityContextW.SECUR32(?,?,?,0008C11C,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 004188AE
                                                  • DeleteSecurityContext.SECUR32(?), ref: 00418B17
                                                  • FreeCredentialsHandle.SECUR32(?), ref: 00418B1E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Context$Security$CredentialsFreeHandleInitialize$AcquireAttributesBufferDeleteQuerymemset
                                                  • String ID: $Microsoft Unified Security Protocol Provider
                                                  • API String ID: 3657786480-3891800672
                                                  • Opcode ID: f36212907457ca1ed3e7f51917446b7eed171d7ac9e29e8d6a9d30e7731285f8
                                                  • Instruction ID: 24cab12ca089fc50a085a7a245e347ade5795b0d8a6d20032462872203d142c9
                                                  • Opcode Fuzzy Hash: f36212907457ca1ed3e7f51917446b7eed171d7ac9e29e8d6a9d30e7731285f8
                                                  • Instruction Fuzzy Hash: 225157B1D00208ABDB20DF9ADC849EFFBF8FF94704F10451EE505E6211E7B4AA458B64
                                                  Function 00411D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00411D31
                                                  • memset.MSVCRT ref: 00411D4B
                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 00411D9B
                                                  • strstr.MSVCRT ref: 00411DAB
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000400), ref: 00411DCA
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000200,00000000,00000000), ref: 00411E0C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstr
                                                  • String ID: bdns$block
                                                  • API String ID: 1883446694-4143068083
                                                  • Opcode ID: 3d814e25f37a3ea08d1e0916bc7bb0143f6931e9a690bef1a8e3f57cc1b5e798
                                                  • Instruction ID: 67c05285263ba1046c8051edce9fba6906a7d1dec4c7634a55d01e49c7876ff7
                                                  • Opcode Fuzzy Hash: 3d814e25f37a3ea08d1e0916bc7bb0143f6931e9a690bef1a8e3f57cc1b5e798
                                                  • Instruction Fuzzy Hash: 7531487174031877EB20DB55AD06FEB336DDF98710F40016AFF14A62D1EA74AA50C6A9
                                                  Function 0041A690 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041A6AF
                                                  • memset.MSVCRT ref: 0041A6CA
                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 0041A6DF
                                                  • PathAppendW.SHLWAPI(?,00421728), ref: 0041A6F9
                                                  • _snwprintf.MSVCRT ref: 0041A71B
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 0041A77F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Pathmemset$AppendCreateFolderProcessSpecial_snwprintf
                                                  • String ID: "%s" %S$D
                                                  • API String ID: 1165436438-3572644092
                                                  • Opcode ID: bb23d433eb4d44302eedd0887eccce3f5688b8a251046348484d08f572bac7d4
                                                  • Instruction ID: be26d5223634696d6fcc82cdb572bb9bf9703d9efa61fbc240f8eba558231302
                                                  • Opcode Fuzzy Hash: bb23d433eb4d44302eedd0887eccce3f5688b8a251046348484d08f572bac7d4
                                                  • Instruction Fuzzy Hash: BD21B871A40308BAEB20DBE0CC46FEA7378AF54B01F144199F6096A1C1EBB59A448B9D
                                                  Function 001CA8A0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70processstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,00000025,00000000,00000000,?), ref: 001CA8F5
                                                  • lstrcatA.KERNEL32(?,001C2720), ref: 001CA907
                                                  • lstrcatA.KERNEL32(?,userinit.exe), ref: 001CA919
                                                  • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001CA945
                                                  • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001CA968
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateProcesslstrcat$FolderPath
                                                  • String ID: D$explorer.exe$userinit.exe
                                                  • API String ID: 3442338259-24035540
                                                  • Opcode ID: cc939d107108cf2ee6ad095d883390ead13ef8afcaa9a0e54642f962387fb2d5
                                                  • Instruction ID: c332e091f935643d78cf42cf391b1fa5597944484b9a01dee0a6ac19be846def
                                                  • Opcode Fuzzy Hash: cc939d107108cf2ee6ad095d883390ead13ef8afcaa9a0e54642f962387fb2d5
                                                  • Instruction Fuzzy Hash: 28113D75980348BBD714DBE0DC4BFEA7738AB64B05F400548F305A91C1EBB5A598CB65
                                                  Function 00411000 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 59stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(?,0045AC50), ref: 0041100D
                                                  • lstrcmpA.KERNEL32(?,0045AA28), ref: 00411054
                                                  • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 00411062
                                                  • lstrcpyA.KERNEL32(00426D88,?), ref: 0041108B
                                                  • lstrcpyA.KERNEL32(00426E90,?), ref: 00411093
                                                    • Part of subcall function 00417700: memset.MSVCRT ref: 0041771E
                                                    • Part of subcall function 00417700: _snprintf.MSVCRT ref: 00417738
                                                    • Part of subcall function 00417700: lstrlenA.KERNEL32(00000000), ref: 00417747
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcmplstrcpy$FileMove_snprintflstrlenmemset
                                                  • String ID: %s.%s$pdef$ruskill
                                                  • API String ID: 4105673886-2574534833
                                                  • Opcode ID: 19998af5520e341378a5683ae76753c52c2ab2880d816cce21082f92fd3faa93
                                                  • Instruction ID: 5b722a505c56c6bed8d1af0bd605e84e4a08a336715c55ebb93f6ff899dc2ca5
                                                  • Opcode Fuzzy Hash: 19998af5520e341378a5683ae76753c52c2ab2880d816cce21082f92fd3faa93
                                                  • Instruction Fuzzy Hash: 6901D23674022477D3305B69AC49FEB7B9CDB6C765B84002BFB08D1662DA78D890827E
                                                  Function 001CBBE0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 55libraryloaderstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcpyA.KERNEL32(001D2438,impossible), ref: 001CBC0E
                                                  • LoadLibraryW.KERNEL32(dnsapi.dll), ref: 001CBC19
                                                  • GetProcAddress.KERNEL32(?,DnsQuery_A), ref: 001CBC5D
                                                  • GetProcAddress.KERNEL32(?,DnsFree), ref: 001CBC6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoadlstrcpy
                                                  • String ID: DnsFree$DnsQuery_A$dnsapi.dll$impossible
                                                  • API String ID: 3626614484-559448556
                                                  • Opcode ID: 6950812a99b974922aafbb217e7bbf45fb876983fa586bb66cdc0fb70c18c79a
                                                  • Instruction ID: bfafda982983773aaef59d5f33cc3aad6bb9caccd940fef2719e47dbb8ef8911
                                                  • Opcode Fuzzy Hash: 6950812a99b974922aafbb217e7bbf45fb876983fa586bb66cdc0fb70c18c79a
                                                  • Instruction Fuzzy Hash: 371182B4E80208BBD700EFA4EC87FADBB74EB24704F44455CF914A7282D7B5D6508B91
                                                  Function 001C9FE0 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49stringregistryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFileAttributesA.KERNEL32(001C98F9,00000080), ref: 001C9FF2
                                                  • DeleteFileA.KERNEL32(001C98F9), ref: 001C9FFC
                                                  • lstrcpyA.KERNEL32(?,001C98F9), ref: 001CA027
                                                  • StrRChrA.SHLWAPI(?,00000000,0000002E), ref: 001CA038
                                                  • lstrcpyA.KERNEL32(00000000,.quarantined), ref: 001CA059
                                                  • MoveFileExA.KERNEL32(001C98F9,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 001CA06C
                                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 001CA07A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$Deletelstrcpy$AttributesMoveValue
                                                  • String ID: .quarantined
                                                  • API String ID: 1367357117-1160447256
                                                  • Opcode ID: 2172344c5d52860805b24de1c14042a09d319e742580ce1d25f39f123a91bfd2
                                                  • Instruction ID: 78508c0e923375e80ce08abbb20577a696924abac9322507896203b385240b37
                                                  • Opcode Fuzzy Hash: 2172344c5d52860805b24de1c14042a09d319e742580ce1d25f39f123a91bfd2
                                                  • Instruction Fuzzy Hash: AC113CB9640248BBDB20DF60DC89FEA3B78BB1C700F444548BB45D6181DBB5D9D0CB90
                                                  Function 001CB120 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 41registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CB12B
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,00000000,00000002,00000000,001C50CD,00000000), ref: 001CB154
                                                  • GetLastError.KERNEL32 ref: 001CB15A
                                                  • lstrlenA.KERNEL32(001C50CD), ref: 001CB168
                                                  • RegSetValueExA.ADVAPI32(001C50CD,Windows Update,00000000,00000001,001C50CD,?), ref: 001CB18C
                                                  • RegCloseKey.ADVAPI32(001C50CD), ref: 001CB196
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 001CB14A
                                                  • Windows Update, xrefs: 001CB183
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateValuelstrlen
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run$Windows Update
                                                  • API String ID: 1542516886-1771306399
                                                  • Opcode ID: e90f4ff1cbe62c6b2f31def9a4ce2ac941a770113e3e6b5790f0e0c05d38bb60
                                                  • Instruction ID: 1d3480fc0621e7adbb4ac83e365f960193693fc99073ef5661138ccfc9d8e4c6
                                                  • Opcode Fuzzy Hash: e90f4ff1cbe62c6b2f31def9a4ce2ac941a770113e3e6b5790f0e0c05d38bb60
                                                  • Instruction Fuzzy Hash: BC011275680248BBE710DBA0DC4AFDA7F78AB15701F104148B705A65D1D7B4E9D09F94
                                                  Function 00419C60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 81stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strtok.MSVCRT ref: 00419C7C
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00419C9A
                                                  • lstrcpyA.KERNEL32(0045B648,00421335), ref: 00419CB3
                                                  • lstrcpynA.KERNEL32(0045B648,00000000,00000200), ref: 00419CC4
                                                  • strtok.MSVCRT ref: 00419CDB
                                                  • atoi.MSVCRT ref: 00419CE8
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 00419D73
                                                  Strings
                                                  • [Slowloris]: Starting flood on "%s" for %d minute(s), xrefs: 00419CF9
                                                  • [Slowloris]: Finished flood on "%s", xrefs: 00419D45
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapstrtok$atoilstrcpylstrcpyn
                                                  • String ID: [Slowloris]: Finished flood on "%s"$[Slowloris]: Starting flood on "%s" for %d minute(s)
                                                  • API String ID: 1726920797-1250431664
                                                  • Opcode ID: 5b923c86955f8ff6cb16f8a4da37fbc72bc68b66313d374ad5cf6ca01a6dadbd
                                                  • Instruction ID: 5c88fed4f2cfbf39ab7372cf4476c0493b9a592445eeba218ca648b7d9f52716
                                                  • Opcode Fuzzy Hash: 5b923c86955f8ff6cb16f8a4da37fbc72bc68b66313d374ad5cf6ca01a6dadbd
                                                  • Instruction Fuzzy Hash: 9321F8727807146BE320A7A1BC46F77369CE758756F90013BFA0456192D7BC98448BED
                                                  Function 00420BB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _stricmp.MSVCRT(?,GetAddrInfoW), ref: 00420C14
                                                  • _stricmp.MSVCRT(?,send), ref: 00420C26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _stricmp
                                                  • String ID: GetAddrInfoW$dnsapi.dll$nspr4.dll$send$wininet.dll
                                                  • API String ID: 2884411883-3553644081
                                                  • Opcode ID: ee8f15bcbbeff365d863b8c4f864c7aaa62471b5a9952efcd077033291f2814a
                                                  • Instruction ID: 1b42acd84bfbeb0d50ac4f6d65b628638aa3c4637d3b82d0ce477cd742a7a58f
                                                  • Opcode Fuzzy Hash: ee8f15bcbbeff365d863b8c4f864c7aaa62471b5a9952efcd077033291f2814a
                                                  • Instruction Fuzzy Hash: 2E118673B41130229A2465A67D01BEBA2C84F60767F850237FD0DD2342E59DDA9191EE
                                                  Function 001C5590 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 001C55D4
                                                  • wsprintfA.USER32 ref: 001C55ED
                                                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 001C561A
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 001C562C
                                                  • DeleteFileA.KERNEL32(?), ref: 001C5639
                                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 001C564F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCopyDeleteFolderModuleNamePathwsprintf
                                                  • String ID: %s\c731200
                                                  • API String ID: 589293570-1377743397
                                                  • Opcode ID: 9a3ea8f31b2d14ad9ea3c69c463993a20b8c75d24ce8b2638f009bb380b75daa
                                                  • Instruction ID: 81ef277c324194b67b0ff9fc6a55fa31fe7fce3eaa6570fc7493bb0ef3ec8e30
                                                  • Opcode Fuzzy Hash: 9a3ea8f31b2d14ad9ea3c69c463993a20b8c75d24ce8b2638f009bb380b75daa
                                                  • Instruction Fuzzy Hash: EC1137B598421C77D714E750EC46FE9773CAB28704F440588B749A90D2EBF1D7D88B91
                                                  Function 001CB8F0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00000000,00000001,00000000), ref: 001CB90F
                                                  • RegQueryValueExA.ADVAPI32(00000000,ConsentPromptBehaviorAdmin,00000000,00000000,FFFFFFFF,00000004), ref: 001CB947
                                                  • RegQueryValueExA.ADVAPI32(00000000,EnableLUA,00000000,00000000,FFFFFFFF,00000004), ref: 001CB979
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CB983
                                                  Strings
                                                  • ConsentPromptBehaviorAdmin, xrefs: 001CB93E
                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 001CB905
                                                  • EnableLUA, xrefs: 001CB970
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$CloseOpen
                                                  • String ID: ConsentPromptBehaviorAdmin$EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                                  • API String ID: 1586453840-3936960567
                                                  • Opcode ID: 8fb23f1455e70e3422cb0b7cd11b92d6d09780530aa23f2e6cb2e50f976c7d65
                                                  • Instruction ID: b1c845985ab18f113c8452703abb7f7dd156e621b7327abbaa0d379dcf293d33
                                                  • Opcode Fuzzy Hash: 8fb23f1455e70e3422cb0b7cd11b92d6d09780530aa23f2e6cb2e50f976c7d65
                                                  • Instruction Fuzzy Hash: DA1128B5940249FBDB10DFD4CD49FEEBB78AB04704F20464CE221A61C0D7B49A88CB61
                                                  Function 0041C8C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,?,http.set,?,msn.int,?,004257F4,?,004257F0,?,speed,?,rs0,?,stats), ref: 0041C8DD
                                                  • lstrlenA.KERNEL32(?,?,http.set,?,msn.int,?,004257F4,?,004257F0,?,speed,?,rs0,?,stats), ref: 0041C8E5
                                                  • lstrcatA.KERNEL32(00000000,00422C78,?,?,http.set,?,msn.int,?,004257F4,?,004257F0,?,speed,?,rs0), ref: 0041C907
                                                  • lstrcatA.KERNEL32(00000000,?,?,?,http.set,?,msn.int,?,004257F4,?,004257F0,?,speed,?,rs0), ref: 0041C913
                                                  • lstrcmpA.KERNEL32(00000000,http.int,?,http.set,?,msn.int,?,004257F4,?,004257F0,?,speed,?,rs0,?,stats), ref: 0041C985
                                                  • atoi.MSVCRT ref: 0041C99C
                                                  • atoi.MSVCRT ref: 0041C9AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: atoilstrcatlstrlen$lstrcmp
                                                  • String ID: [HTTP]: Updated HTTP spread message to "%s"$http$msg
                                                  • API String ID: 3861295430-3390247340
                                                  • Opcode ID: 6e8d42f608660501df53bcd2b4ac305d5df184ce22553540dd78e149c234ddd0
                                                  • Instruction ID: 7d80295a5b9e51d1e03156c3f453b6628106046766906b7832be2d1e960663b9
                                                  • Opcode Fuzzy Hash: 6e8d42f608660501df53bcd2b4ac305d5df184ce22553540dd78e149c234ddd0
                                                  • Instruction Fuzzy Hash: 9F018E75A4021CAADB20DF60CD81EDAB378AF44304F61049BE44993042DB78FAC6CF65
                                                  Function 001CAF40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(?,Software\Microsoft\Windows NT\CurrentVersion\Winlogon,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001CAF68
                                                  • GetLastError.KERNEL32 ref: 001CAF6E
                                                  • RegSetValueExA.ADVAPI32(?,Shell,00000000,00000001,explorer.exe,0000000C), ref: 001CAF95
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CAF9F
                                                  Strings
                                                  • explorer.exe, xrefs: 001CAF83
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 001CAF5F
                                                  • Shell, xrefs: 001CAF8C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateErrorLastValue
                                                  • String ID: Shell$Software\Microsoft\Windows NT\CurrentVersion\Winlogon$explorer.exe
                                                  • API String ID: 3352405036-2475075456
                                                  • Opcode ID: 8564183cf9590c4c5c42350e23ebb1dd7efa07b7c4bc610a124893c00164771e
                                                  • Instruction ID: f28cfb6b2d6ebef124b80d42b8d5eaf9fca489fbd18a6baa0bd79b925c3e942e
                                                  • Opcode Fuzzy Hash: 8564183cf9590c4c5c42350e23ebb1dd7efa07b7c4bc610a124893c00164771e
                                                  • Instruction Fuzzy Hash: CBF09679A80308BBE710DF90DC4AF9D7B78AB54B00F104158F701AA1D1D7B4E995D754
                                                  Function 001CB260 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000,?,001C910E), ref: 001CB268
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 001CB294
                                                  • GetLastError.KERNEL32 ref: 001CB29A
                                                  • RegDeleteValueA.ADVAPI32(?,Windows Update), ref: 001CB2AD
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CB2B7
                                                  Strings
                                                  • Windows Update, xrefs: 001CB2A4
                                                  • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run, xrefs: 001CB28A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateDeleteValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Windows Update
                                                  • API String ID: 2802250149-3708533339
                                                  • Opcode ID: 27d7d651061f9262180938e227a6bc76779c783ca45456e8ee439ae7a7a30cbb
                                                  • Instruction ID: 50b43953a50cefdfa7e38ddd80e819904393fe96ac2a914632bd122878130407
                                                  • Opcode Fuzzy Hash: 27d7d651061f9262180938e227a6bc76779c783ca45456e8ee439ae7a7a30cbb
                                                  • Instruction Fuzzy Hash: FCF08275A80308BBD7109BA0DC4AFED7F78AB14B01F100048FB05E65D1DBB0E5908B65
                                                  Function 001CB0C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetLastError.KERNEL32(00000000), ref: 001CB0C8
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 001CB0F1
                                                  • GetLastError.KERNEL32 ref: 001CB0F7
                                                  • RegDeleteValueA.ADVAPI32(?,Windows Update), ref: 001CB10A
                                                  • RegCloseKey.ADVAPI32(?), ref: 001CB114
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 001CB0E7
                                                  • Windows Update, xrefs: 001CB101
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseCreateDeleteValue
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$Windows Update
                                                  • API String ID: 2802250149-3174618451
                                                  • Opcode ID: e3ed4387d5110be54261a99602b04e3f0ef44a88ed5adcee9ade17040a3dca48
                                                  • Instruction ID: d1393039f6d03cafa4bf6291447d94dac8997b427d304c6ef9eee0729bad1b3f
                                                  • Opcode Fuzzy Hash: e3ed4387d5110be54261a99602b04e3f0ef44a88ed5adcee9ade17040a3dca48
                                                  • Instruction Fuzzy Hash: F5F08275A80208BBD7109BE0DC4AFD97FB8AB15B02F100058FB05E61D2DBB0E5908B61
                                                  Function 00413DB8 Relevance: 12.1, APIs: 8, Instructions: 108fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,-00427960,00000800,00000000,?,?,?,00000000,000000FF), ref: 00413DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00413E3E
                                                  • ReadFile.KERNEL32(?,00427960,00000800,00000000,?), ref: 00413ED7
                                                  • GetLastError.KERNEL32 ref: 00413EE3
                                                  • GetLastError.KERNEL32 ref: 00413EEA
                                                  • GetLastError.KERNEL32 ref: 00413EF3
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00413F0D
                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00413F1D
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 146293752-0
                                                  • Opcode ID: a295b6291a86213c78e74c16827f313ff827f1b5f285d284164165b92b1be62d
                                                  • Instruction ID: 81a1f139921b4cea795b4b57875b82c41e1e283b297af425ea2161f09ab88226
                                                  • Opcode Fuzzy Hash: a295b6291a86213c78e74c16827f313ff827f1b5f285d284164165b92b1be62d
                                                  • Instruction Fuzzy Hash: D441B1B4604319AFE710CF68DCC4FAA77A8FF49304F408658E54587395C735EA92CBA9
                                                  Function 00413DB6 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,-00427960,00000800,00000000,?,?,?,00000000,000000FF), ref: 00413DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 00413E3E
                                                  • ReadFile.KERNEL32(?,00427960,00000800,00000000,?), ref: 00413ED7
                                                  • GetLastError.KERNEL32 ref: 00413EE3
                                                  • GetLastError.KERNEL32 ref: 00413EEA
                                                  • GetLastError.KERNEL32 ref: 00413EF3
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 00413F0D
                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00413F1D
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 146293752-0
                                                  • Opcode ID: b33797f428e08f9b8cf1b8c75282708d204af3c32806b2e2b122f5f9bb1c06dd
                                                  • Instruction ID: 92ec8c1eeafc9a7268641ffcea9aeae0153105723f055617340a490d29106a03
                                                  • Opcode Fuzzy Hash: b33797f428e08f9b8cf1b8c75282708d204af3c32806b2e2b122f5f9bb1c06dd
                                                  • Instruction Fuzzy Hash: 3A41B1B4600319AFE710CF68D8C4FAA77A8FF49304F408659E50687395C735EA92CBA9
                                                  Function 00417500 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 99stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintf_vsnprintflstrcmp
                                                  • String ID: %s_$bdns
                                                  • API String ID: 3897371274-741241040
                                                  • Opcode ID: 25867ff245e3c516d50a85fb334a3dafda0594548a60c28ade512d399f63203c
                                                  • Instruction ID: 2666b550137d9d0ec1b522a5c495deb1a7c619025cbd488ed2142cb8df6e1691
                                                  • Opcode Fuzzy Hash: 25867ff245e3c516d50a85fb334a3dafda0594548a60c28ade512d399f63203c
                                                  • Instruction Fuzzy Hash: 192107727042257BEB209E69AC89FFB776CEB44754F44056AFD09D3601EA38CE41C6E4
                                                  Function 00418670 Relevance: 12.1, APIs: 8, Instructions: 70networkmemorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,0000103C), ref: 00418688
                                                  • htons.WS2_32(?), ref: 004186AE
                                                  • inet_ntoa.WS2_32(?), ref: 004186F7
                                                  • htons.WS2_32(?), ref: 00418704
                                                  • GetTickCount.KERNEL32 ref: 00418713
                                                  • CreateThread.KERNEL32(00000000,00000000,00418640,00000000,00000000,00000000), ref: 00418734
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041873B
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: htons$AllocCloseCountCreateHandleLocalThreadTickinet_ntoa
                                                  • String ID:
                                                  • API String ID: 30336511-0
                                                  • Opcode ID: 505fbc90da3dda9809374a28a2fa03628ef904fa2d245e35d717e3e6c609eb87
                                                  • Instruction ID: a894d0fd27c03ca5b6c8d0e79a7414f607b950957bfab89262cf0ee943e713fb
                                                  • Opcode Fuzzy Hash: 505fbc90da3dda9809374a28a2fa03628ef904fa2d245e35d717e3e6c609eb87
                                                  • Instruction Fuzzy Hash: AA21087460070096D3205B70EC0A7D776E4AF08345F14492EF9AD872E1DBB895C18B5D
                                                  Function 00417790 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 69stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemset$_snprintflstrcpy
                                                  • String ID: off$state_%s
                                                  • API String ID: 1009457118-628336787
                                                  • Opcode ID: 5b14aca4d572f92e8cfe519af261d0df79ed311cf529761c6b2c92559b608fc8
                                                  • Instruction ID: 435f483b21da473ed1ef9d4e0401ad675d72d44176d2de8fa020cc6f911aee56
                                                  • Opcode Fuzzy Hash: 5b14aca4d572f92e8cfe519af261d0df79ed311cf529761c6b2c92559b608fc8
                                                  • Instruction Fuzzy Hash: EF1133F5A4122877D720E650DD46FEB737C8F94704F4000DAFB48A61C2E6F82BC48AA9
                                                  Function 0041FC90 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 57stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041FCB0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0041FCBD
                                                  • _snprintf.MSVCRT ref: 0041FCE0
                                                  • lstrcpyW.KERNEL32(0045B9A0,0045ADA0), ref: 0041FCF2
                                                  • lstrcpyA.KERNEL32(0045BDB0,00422FC0), ref: 0041FD08
                                                  • lstrcpyA.KERNEL32(0045BEB4,?), ref: 0041FD16
                                                    • Part of subcall function 0041F9E0: memset.MSVCRT ref: 0041F9FF
                                                    • Part of subcall function 0041F9E0: GetLogicalDriveStringsA.KERNEL32(000001FF,00000000), ref: 0041FA22
                                                    • Part of subcall function 0041F9E0: lstrcatA.KERNEL32(00000000,00423040), ref: 0041FA5C
                                                  • Sleep.KERNEL32(00003A98), ref: 0041FD61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$memset$DriveLogicalSleepStrings_snprintflstrcatlstrlen
                                                  • String ID: 30e4*ga1
                                                  • API String ID: 530497602-1706321449
                                                  • Opcode ID: 7df6ceafd49e0829145c630f9d1ff384c8361658dc2cc77eda970c5451933c8a
                                                  • Instruction ID: 1a885e5ab2fb2e15ee9b566c31aae9a560024367c9e80b24bef1f2e39bf90ff9
                                                  • Opcode Fuzzy Hash: 7df6ceafd49e0829145c630f9d1ff384c8361658dc2cc77eda970c5451933c8a
                                                  • Instruction Fuzzy Hash: CA1198B1A403286BD310AF55BC82BA57768EB18705F90407BFA44921A3D7B859C98F9D
                                                  Function 00412A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • htons.WS2_32(?), ref: 00412A44
                                                    • Part of subcall function 00412460: GetProcessHeap.KERNEL32(?,004120DE,?), ref: 0041246C
                                                    • Part of subcall function 00412460: HeapAlloc.KERNEL32(?,00000008,004120DE,?,004120DE,?), ref: 0041247E
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00412A8A
                                                  • WSAGetLastError.WS2_32(00000002,00000001,00000006), ref: 00412A96
                                                  • GetLastError.KERNEL32(00000002,00000001,00000006), ref: 00412A9B
                                                    • Part of subcall function 004124A0: GetProcessHeap.KERNEL32(00000000,?,00412131,00000000), ref: 004124B4
                                                    • Part of subcall function 004124A0: HeapFree.KERNEL32(?,00000000,1!A,00000000,?,00412131,00000000), ref: 004124C3
                                                  • inet_ntoa.WS2_32(00000002), ref: 00412AEE
                                                  • connect.WS2_32(00000000,?,00000010), ref: 00412AFC
                                                  • Sleep.KERNEL32(000005DC,00000000,?,00000010,00000001,00000006), ref: 00412B0B
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                  • String ID:
                                                  • API String ID: 268164981-0
                                                  • Opcode ID: 0316925dc34788b4ba9a28cae707f81c15d105fb411b73139c3b3c37f2b5e401
                                                  • Instruction ID: f4836483b6b078ff480b19788b656258d7bdd0de386f17909df8d6128545030e
                                                  • Opcode Fuzzy Hash: 0316925dc34788b4ba9a28cae707f81c15d105fb411b73139c3b3c37f2b5e401
                                                  • Instruction Fuzzy Hash: 04413A71F00214ABCB20EFA9D981AAFB3B5EF44324F00456BE519DB341D7B5A991CBC9
                                                  Function 00417F90 Relevance: 10.6, APIs: 7, Instructions: 131networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 00417FD4
                                                  • send.WS2_32(?,?,?,00000000), ref: 00417FFB
                                                  • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,?), ref: 00418004
                                                  • select.WS2_32(00000000,00000000,00000000,00000001,?), ref: 0041803D
                                                  • select.WS2_32(00000000,?,00000000,00000000,?), ref: 00418081
                                                  • recv.WS2_32(?,?,00001000,00000000), ref: 0041809A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: select$FreeLocalrecvsend
                                                  • String ID:
                                                  • API String ID: 1822081929-0
                                                  • Opcode ID: fea421dc897fa3b5875f7fe8948fdbe49ff2e37a1218a6fc51113ddc5f51111d
                                                  • Instruction ID: bdc7cf0cb9509b9f402867c1a6da2559927f9de2e7347e5b7373ab88fc52e70a
                                                  • Opcode Fuzzy Hash: fea421dc897fa3b5875f7fe8948fdbe49ff2e37a1218a6fc51113ddc5f51111d
                                                  • Instruction Fuzzy Hash: 9E419E71600714ABD730DF59DC81BE7B3F8EB88710F004A8EF5898B691D7B5A9C58B94
                                                  Function 00416E20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 126memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412460: GetProcessHeap.KERNEL32(?,004120DE,?), ref: 0041246C
                                                    • Part of subcall function 00412460: HeapAlloc.KERNEL32(?,00000008,004120DE,?,004120DE,?), ref: 0041247E
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0041AFBD
                                                    • Part of subcall function 0041AFA0: HeapAlloc.KERNEL32(?,00000008,-00000002), ref: 0041AFCB
                                                    • Part of subcall function 0041AFA0: memset.MSVCRT ref: 0041AFE8
                                                    • Part of subcall function 0041AFA0: memset.MSVCRT ref: 0041B002
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(?), ref: 0041B013
                                                    • Part of subcall function 0041AFA0: sscanf.MSVCRT ref: 0041B02A
                                                    • Part of subcall function 0041AFA0: strtok.MSVCRT ref: 0041B041
                                                    • Part of subcall function 0041AFA0: _memicmp.MSVCRT ref: 0041B05B
                                                    • Part of subcall function 0041AFA0: strtok.MSVCRT ref: 0041B06E
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(00000000), ref: 0041B09B
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(00000000), ref: 0041B0AD
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(00000000), ref: 0041B0BB
                                                    • Part of subcall function 0041AFA0: lstrlenA.KERNEL32(00000000), ref: 0041B0C6
                                                    • Part of subcall function 0041AFA0: HeapAlloc.KERNEL32(?,00000000,?), ref: 0041B0D5
                                                    • Part of subcall function 0041AFA0: _memicmp.MSVCRT ref: 0041B0EB
                                                  • strstr.MSVCRT ref: 00416EBC
                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?), ref: 00416EC9
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 00416EE7
                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 00416F1A
                                                  • HeapFree.KERNEL32(?,00000000,?,?,?), ref: 00416F2C
                                                  • HeapFree.KERNEL32(?,00000000,00000000,?,?), ref: 00416F3C
                                                    • Part of subcall function 0041B160: lstrlenA.KERNEL32(00416E9C,00000000,00000000,00000000,?,?,00416E9C), ref: 0041B178
                                                    • Part of subcall function 0041B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,00416E9C), ref: 0041B186
                                                    • Part of subcall function 0041B160: lstrlenA.KERNEL32(00416E9C,?,?,00416E9C), ref: 0041B18F
                                                    • Part of subcall function 0041B160: strstr.MSVCRT ref: 0041B19F
                                                    • Part of subcall function 0041B160: strstr.MSVCRT ref: 0041B1B6
                                                    • Part of subcall function 0041B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00416E9C), ref: 0041B1C3
                                                    • Part of subcall function 0041B160: HeapAlloc.KERNEL32(?,00000008,-00000002,?,?,?,?,?,00416E9C), ref: 0041B1D2
                                                    • Part of subcall function 0041B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,00416E9C), ref: 0041B1DC
                                                    • Part of subcall function 0041B160: lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,00416E9C), ref: 0041B1E5
                                                    • Part of subcall function 0041B160: HeapFree.KERNEL32(?,00000000,00000000,?,?,?,00416E9C), ref: 0041B1F8
                                                    • Part of subcall function 004201E0: memset.MSVCRT ref: 00420202
                                                    • Part of subcall function 004201E0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 00420213
                                                    • Part of subcall function 004201E0: EnterCriticalSection.KERNEL32(0045B4E4), ref: 00420223
                                                    • Part of subcall function 004201E0: strstr.MSVCRT ref: 00420243
                                                    • Part of subcall function 004201E0: lstrlenA.KERNEL32(00000000), ref: 00420254
                                                    • Part of subcall function 004201E0: HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0042025F
                                                    • Part of subcall function 004201E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 00420272
                                                    • Part of subcall function 004201E0: strstr.MSVCRT ref: 00420281
                                                    • Part of subcall function 004201E0: _snprintf.MSVCRT ref: 004202C8
                                                    • Part of subcall function 004201E0: strstr.MSVCRT ref: 004202EF
                                                    • Part of subcall function 004201E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 004203E4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heaplstrlen$Allocstrstr$Free$memset$Process_memicmpstrtok$CriticalEnterSection_snprintflstrcpylstrcpynsscanf
                                                  • String ID: POST
                                                  • API String ID: 836748388-1814004025
                                                  • Opcode ID: ae9213cf462908cfbb3c7b020614b5f86cfea982ba15e3f3e5b8ba16b2ff129d
                                                  • Instruction ID: 56b5397b5b9ae2e9ec27f629ed46dd7ea2eabb08af118018e80e70e461c4d173
                                                  • Opcode Fuzzy Hash: ae9213cf462908cfbb3c7b020614b5f86cfea982ba15e3f3e5b8ba16b2ff129d
                                                  • Instruction Fuzzy Hash: 7931C575A00305ABD7109F95EC85EEB77ACEB84305F15417AF90893301DA39EDA1CBAA
                                                  Function 0041D110 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcmplstrcpynlstrlenmemmovememsetstrchr
                                                  • String ID: 332
                                                  • API String ID: 3300951897-3855660651
                                                  • Opcode ID: 08f8b604bbfd41645fdff0161f555c3dadc026e4f5c4c795e2aabbf21e0eb9ef
                                                  • Instruction ID: 22edb4ba4ee4edcf14f657ddb1d169210bfe1529d96ecb492b9bdb123d59cdb0
                                                  • Opcode Fuzzy Hash: 08f8b604bbfd41645fdff0161f555c3dadc026e4f5c4c795e2aabbf21e0eb9ef
                                                  • Instruction Fuzzy Hash: 393135B5A002167BEB209B29CCC9FA737ACEF48344F44416AF90987242E734ED45CBB4
                                                  Function 00417610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 87stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: _snprintf_vsnprintflstrcmplstrlen
                                                  • String ID: %s_$bdns
                                                  • API String ID: 4220314296-741241040
                                                  • Opcode ID: a45f70619e4ce34348201ccf8a35af594715caf11e76660e3374eefbaef21a08
                                                  • Instruction ID: 9bb40240670b01535b8b8bc9fcc5d77e1844fc402fe80d9e69bac700ce583ae8
                                                  • Opcode Fuzzy Hash: a45f70619e4ce34348201ccf8a35af594715caf11e76660e3374eefbaef21a08
                                                  • Instruction Fuzzy Hash: B221D6727002186BEB209E69ECC5FEB7368EB48724F44056AFD18D7201E674994187E8
                                                  Function 00413B90 Relevance: 10.6, APIs: 7, Instructions: 82pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00413BD8
                                                  • CreateNamedPipeA.KERNEL32(?,40000001,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 00413C0F
                                                  • ConnectNamedPipe.KERNEL32(00000000,?), ref: 00413C25
                                                  • GetLastError.KERNEL32 ref: 00413C2F
                                                  • GetLastError.KERNEL32 ref: 00413C46
                                                  • SetEvent.KERNEL32(00000000), ref: 00413C56
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorEventLastNamedPipe$Connect
                                                  • String ID:
                                                  • API String ID: 3507186782-0
                                                  • Opcode ID: b2483fafc6c4b1da6ba69678eab149574eee30cb5a2e5ccc661baad1cac529d5
                                                  • Instruction ID: 2a68506fab5478ab533618a206aae29b95fd7dac8139f849faa983c85218910c
                                                  • Opcode Fuzzy Hash: b2483fafc6c4b1da6ba69678eab149574eee30cb5a2e5ccc661baad1cac529d5
                                                  • Instruction Fuzzy Hash: 9C21F8763442066FE7208F64DCC4BDA7764EF54761F204536FA0DDA290E3B4E9918B98
                                                  Function 0041F2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00413810: GetProcessHeap.KERNEL32(00000000,00000000,?,00414046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00413819
                                                    • Part of subcall function 00413810: HeapAlloc.KERNEL32(00000000,?,00414046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00413820
                                                  • sprintf.MSVCRT ref: 0041F2E9
                                                  • CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0041F2FA
                                                  • memset.MSVCRT ref: 0041F323
                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,004209A7,0000000C,?,00000400,00000000,00000000), ref: 0041F352
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041F35B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocCloseControlCreateDeviceFileHandleProcessmemsetsprintf
                                                  • String ID: \\.\%c:
                                                  • API String ID: 2995886503-1260769427
                                                  • Opcode ID: 29dda8a114ed6d59bdb824513a0fd999e115f27278301fe1d43e0579ee5209d0
                                                  • Instruction ID: c6a7c0f148651ce4ebd8671ad3baf320762a72b0d5fac15b92b30e0212eb3f10
                                                  • Opcode Fuzzy Hash: 29dda8a114ed6d59bdb824513a0fd999e115f27278301fe1d43e0579ee5209d0
                                                  • Instruction Fuzzy Hash: 7E21C8F1A0021C7BD710DF959C85EFF77BCEB45754F00417AFA18A2281D6B40F8586A5
                                                  Function 004181C0 Relevance: 10.6, APIs: 7, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,?), ref: 004181E3
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 004181F9
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0041820F
                                                  • closesocket.WS2_32(00000000), ref: 0041821A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Startupclosesocketioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 3235567692-0
                                                  • Opcode ID: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                  • Instruction ID: 946a62439174014658d7cadf7f0db2581d37bc35688f0e01cdb85c1df3cdb50a
                                                  • Opcode Fuzzy Hash: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                  • Instruction Fuzzy Hash: 74014E7174022875E620E6A46C03FFE739CCF05724F40079AFB18A61C2EBF54A84439D
                                                  Function 001CB660 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetForegroundWindow.USER32 ref: 001CB6B4
                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 001CB6C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ExecuteForegroundShellWindow
                                                  • String ID: -aav_start$<$@$runas
                                                  • API String ID: 2707725784-542670659
                                                  • Opcode ID: 2b40d8f8bd208c296c5adba0e28a7db5196e89b4b28a12a233a50152089f15cb
                                                  • Instruction ID: 99bb796a357180d4109d5095c51871bd8cdb182cdb0fdbe71f9cb405e5dd3f8f
                                                  • Opcode Fuzzy Hash: 2b40d8f8bd208c296c5adba0e28a7db5196e89b4b28a12a233a50152089f15cb
                                                  • Instruction Fuzzy Hash: D4F0FFB4C01308ABDB00EF91E989BCEBFB4EB14304F00411CE904BA291DB758548CF95
                                                  Function 0041A64A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 18synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,0041E750,00000000,00000000,00000000), ref: 0041A659
                                                  • MessageBoxA.USER32(00000000,This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!,binBot Error,00000030), ref: 0041A66F
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041A678
                                                  • ExitProcess.KERNEL32 ref: 0041A680
                                                  Strings
                                                  • This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!, xrefs: 0041A666
                                                  • binBot Error, xrefs: 0041A661
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateExitMessageObjectProcessSingleThreadWait
                                                  • String ID: This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!$binBot Error
                                                  • API String ID: 2697768853-794396656
                                                  • Opcode ID: 007e1f8bc5418ab52cbc357b45cc7102966880ec34f695cdac58054436b5c0fc
                                                  • Instruction ID: 017473834e0f4868fddb193b867e9d2cd455288800f29994cd0f53afdba92c95
                                                  • Opcode Fuzzy Hash: 007e1f8bc5418ab52cbc357b45cc7102966880ec34f695cdac58054436b5c0fc
                                                  • Instruction Fuzzy Hash: F7E067357C5365B6E63517A06D0BF8425145B14F12FB14221B725BD8F08AD42181476D
                                                  Function 001C3CD0 Relevance: 9.1, APIs: 6, Instructions: 88sleepprocessstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001C3CEA
                                                  • Process32First.KERNEL32(?,00000128), ref: 001C3D23
                                                  • lstrlenA.KERNEL32(?,00000008,?,00000128,?,00000002,00000000), ref: 001C3D49
                                                  • Process32Next.KERNEL32(?,00000128), ref: 001C3E1D
                                                  • CloseHandle.KERNEL32(?,?,00000128,?,?,00000128,?,00000002,00000000), ref: 001C3E31
                                                  • Sleep.KERNEL32(00000064,?,?,00000128,?,00000002,00000000), ref: 001C3E39
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32lstrlen
                                                  • String ID:
                                                  • API String ID: 1833734960-0
                                                  • Opcode ID: 7dce4641ebb25943c62c81fbe322b08ee0f7e5e06906ccb7a3a3eac048f9f2a1
                                                  • Instruction ID: 2307f6623fcb936ca73575609e9859aa65a9a796eccbd74d3591a2af28a9c2e6
                                                  • Opcode Fuzzy Hash: 7dce4641ebb25943c62c81fbe322b08ee0f7e5e06906ccb7a3a3eac048f9f2a1
                                                  • Instruction Fuzzy Hash: 8231AF70902218EBDB20DF94EC91FE977B9EB69304F544189E505A7280DB71AFD0CF50
                                                  Function 00417330 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintf_vsnprintfmemset
                                                  • String ID: %s_
                                                  • API String ID: 3230270962-1040268105
                                                  • Opcode ID: c1f7129ccb97dc8595883b70c8eae493fe50cf74c49f6a1622348f4312b397e5
                                                  • Instruction ID: 21913b8e1788866381fd1571039c32de0b128fb8f904d3c677156d07e89ba050
                                                  • Opcode Fuzzy Hash: c1f7129ccb97dc8595883b70c8eae493fe50cf74c49f6a1622348f4312b397e5
                                                  • Instruction Fuzzy Hash: CF110C7264031937F720E6689C86FF777ACDF84704F4506ADBD1897182E6B49E4087A4
                                                  Function 004202A9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 57memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 004202C8
                                                  • strstr.MSVCRT ref: 004202EF
                                                  • atoi.MSVCRT ref: 00420322
                                                  • lstrlenA.KERNEL32(00000000), ref: 00420386
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004203E4
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 004203EE
                                                  • LeaveCriticalSection.KERNEL32(0045B4E4), ref: 004203FD
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0042041F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$CriticalLeaveSection_snprintfatoilstrlenstrstr
                                                  • String ID: %s=
                                                  • API String ID: 1805118874-2646424381
                                                  • Opcode ID: 3bd495c94d2cf94b1845063fb4ee60025debd81aa5fc25055987a1b854d50d3f
                                                  • Instruction ID: 8347e2f027c1613bc8f53527555681418292f497d5f0efdaf6ec461bc122e920
                                                  • Opcode Fuzzy Hash: 3bd495c94d2cf94b1845063fb4ee60025debd81aa5fc25055987a1b854d50d3f
                                                  • Instruction Fuzzy Hash: 1F112C71B40229ABDB20D750EC81B7BB3B8EB44304F50416BED0853241DA78AD418BA9
                                                  Function 001CA0C0 Relevance: 9.1, APIs: 6, Instructions: 55stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001CA0ED
                                                  • Process32First.KERNEL32(?,00000128), ref: 001CA106
                                                  • lstrcmpiA.KERNEL32(?,001C98DC), ref: 001CA116
                                                  • lstrcmpiA.KERNEL32(?,001C98DC), ref: 001CA13E
                                                  • Process32Next.KERNEL32(?,00000128), ref: 001CA165
                                                  • CloseHandle.KERNEL32(?,?,00000128), ref: 001CA175
                                                    • Part of subcall function 001CA090: OpenProcess.KERNEL32(00000001,00000000,001C4F80,?,?,001C4F80,?), ref: 001CA09C
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Process32lstrcmpi$CloseCreateFirstHandleNextOpenProcessSnapshotToolhelp32
                                                  • String ID:
                                                  • API String ID: 3775481326-0
                                                  • Opcode ID: c92e4631809556a6a55e70ac779b9c421027d4b01d932bc47fca0e7289140819
                                                  • Instruction ID: e1e74421be2ff3e5d40a2efd5f347fe97a2628bd53a8d1db023946fd9a0c662f
                                                  • Opcode Fuzzy Hash: c92e4631809556a6a55e70ac779b9c421027d4b01d932bc47fca0e7289140819
                                                  • Instruction Fuzzy Hash: E31151B6900218ABC721EB70DC86FDA7778AF3C704F04419CF649D6241EB35DAA48F91
                                                  Function 0041DD20 Relevance: 9.0, APIs: 6, Instructions: 36sleepthreadnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CleanupCountCriticalExitInitializeSectionSleepThreadTick
                                                  • String ID:
                                                  • API String ID: 544336047-0
                                                  • Opcode ID: 0358097770b8e9322b72589c89946b6294c10d9be52ea3a2547014d9b0d5209b
                                                  • Instruction ID: 8b3cf3a2726a872ffe37ce808df585b7ca9b8dd1a88d7af6845d6ba7ad6d5503
                                                  • Opcode Fuzzy Hash: 0358097770b8e9322b72589c89946b6294c10d9be52ea3a2547014d9b0d5209b
                                                  • Instruction Fuzzy Hash: 91F096F0E0062066D6303BB57E0A5EE35605F24329B900737F611C22F1EB3C89D2899E
                                                  Function 00414560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 004145D5
                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00414BA5,?), ref: 004145FD
                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000,?,?,00010000,EDB88320,00000000), ref: 00414636
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: File$CreateMappingView_snprintf
                                                  • String ID: %s_%d
                                                  • API String ID: 1261873476-1933919280
                                                  • Opcode ID: 1b03e9ed4d00417a3f63186b493b7a16727b82aae5f0bd6d08c7ea2d229ab655
                                                  • Instruction ID: ca3ac9d8987945fd6ce4225030778996befc2ce3b785f45dc52d48db70d97f61
                                                  • Opcode Fuzzy Hash: 1b03e9ed4d00417a3f63186b493b7a16727b82aae5f0bd6d08c7ea2d229ab655
                                                  • Instruction Fuzzy Hash: DD61F4716002029FD325CF18D881BB6B7E5FF84308F28817DE6868B3C5D778A9A0DB84
                                                  Function 0041E4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79sleepmemorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A013
                                                    • Part of subcall function 00419FF0: strtok.MSVCRT ref: 0041A04F
                                                  • lstrlenA.KERNEL32(?), ref: 0041E517
                                                  • _memicmp.MSVCRT ref: 0041E525
                                                  • Sleep.KERNEL32(000003E8), ref: 0041E54E
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 0041E57A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: strtok$FreeHeapSleep_memicmplstrlen
                                                  • String ID: [Login]: %s
                                                  • API String ID: 2470415281-2266835287
                                                  • Opcode ID: 05dc217809222071bb855408e7aa8343c3f73807c450b6e0aa820ac974a33968
                                                  • Instruction ID: b8ec23545db506fe4447c8e80a192518660acec220ed83d253e35877531d26c9
                                                  • Opcode Fuzzy Hash: 05dc217809222071bb855408e7aa8343c3f73807c450b6e0aa820ac974a33968
                                                  • Instruction Fuzzy Hash: C621D7B5600204BBD720DB86DD82FAB73A9EB88745F50442AFD0443342E77DED91C6A9
                                                  Function 001C9EF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringprocessCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 001C9F13
                                                  • StrRChrA.SHLWAPI(?,00000000,0000005C), ref: 001C9F38
                                                  • lstrlenA.KERNEL32(00000000), ref: 001C9F54
                                                  • CreateProcessA.KERNEL32(?,001C98A9,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 001C9FCF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CreateProcess
                                                  • String ID: D
                                                  • API String ID: 3224327505-2746444292
                                                  • Opcode ID: ede42a01f9942027ade05713b899bd294e57602d188b56b51906953525b55dbf
                                                  • Instruction ID: 4666e09c9538666e3088b899557b26370581ab3b85d31e7172c808582a6714fc
                                                  • Opcode Fuzzy Hash: ede42a01f9942027ade05713b899bd294e57602d188b56b51906953525b55dbf
                                                  • Instruction Fuzzy Hash: BE2163BA940218BBDB10DB60DC86FDA7738AB68700F044598F7099B181E7B5DAC4CFA5
                                                  Function 00411C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW), ref: 00411C6E
                                                    • Part of subcall function 00413750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0041376B
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00411CC6
                                                  • CloseHandle.KERNEL32(00000000), ref: 00411CD9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Handle$AddressCloseFileModuleProcedureWrite
                                                  • String ID: CreateFileW$kernel32.dll
                                                  • API String ID: 2185083974-2113957990
                                                  • Opcode ID: 088d3c48486fba8a348d3856a45977800a62436acc42dab2897f60a603ac2e53
                                                  • Instruction ID: dec6ddc31d6be0c381c1af471a5fa3f5813bc8cc01e5cac187987cdef0ccf83d
                                                  • Opcode Fuzzy Hash: 088d3c48486fba8a348d3856a45977800a62436acc42dab2897f60a603ac2e53
                                                  • Instruction Fuzzy Hash: D2016BB17401147FDB149F68DC85FFB335DAB49324F508229FA15932E0E2745D5543E8
                                                  Function 00416D90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,00416C55,00000000), ref: 00416DA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: NtQueryInformationProcess$NtSetInformationProcess$UlA$ntdll.dll
                                                  • API String ID: 4139908857-1888948905
                                                  • Opcode ID: 297803cb35190f0cc22b958c6d74dec3df0886dad720ce8bfb6404569689851c
                                                  • Instruction ID: bb1a6e8ae008c2916a26dd5165e0f063b0b773d1e6a5fc8278b41003aa929146
                                                  • Opcode Fuzzy Hash: 297803cb35190f0cc22b958c6d74dec3df0886dad720ce8bfb6404569689851c
                                                  • Instruction Fuzzy Hash: 4701D4B274131837EA205949AC45FEB739CCB8A729F410197FE08E7280DAA9DD4182E8
                                                  Function 0041FAA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ProcWindowsprintf
                                                  • String ID: %c:\$@WB$[USB]: Infected %s
                                                  • API String ID: 3179433310-1794846690
                                                  • Opcode ID: 9676a84d616279f3605f5d5a34ff45bc59c751ff6d67b33e35bc075635c9147c
                                                  • Instruction ID: 84d600f71b1fbf90830d6440262520908de0f8a01a754bf0e910bf257c72680e
                                                  • Opcode Fuzzy Hash: 9676a84d616279f3605f5d5a34ff45bc59c751ff6d67b33e35bc075635c9147c
                                                  • Instruction Fuzzy Hash: 5E11A7B560010C5BC720DF64DD51EBB73ACEB44308F44456AFE0992242E639E9968B6D
                                                  Function 001CAED0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 35shutdownCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 001CB3B0: RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000001,00000000,001C9377), ref: 001CB3D6
                                                    • Part of subcall function 001CB3B0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 001CB3FF
                                                    • Part of subcall function 001CB3B0: RegCloseKey.ADVAPI32(00000000), ref: 001CB422
                                                    • Part of subcall function 001CB2D0: RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 001CB300
                                                    • Part of subcall function 001CB2D0: RegSetValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 001CB322
                                                    • Part of subcall function 001CB2D0: RegCloseKey.ADVAPI32(00000000), ref: 001CB32C
                                                    • Part of subcall function 001CA980: GetCurrentProcess.KERNEL32 ref: 001CA98D
                                                    • Part of subcall function 001CA980: OpenProcessToken.ADVAPI32(?,00000028,00000000), ref: 001CA9A0
                                                    • Part of subcall function 001CA980: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 001CA9B0
                                                    • Part of subcall function 001CA980: AdjustTokenPrivileges.ADVAPI32(00000000,00000000,00000001,00000010,00000000,00000000), ref: 001CA9D4
                                                  • InitiateSystemShutdownExA.ADVAPI32(00000000,Windows critical error, require reboot,00000000,00000001,00000001,00000000), ref: 001CAF2E
                                                  Strings
                                                  • Windows critical error, require reboot, xrefs: 001CAF27
                                                  • itergtdw11qyucgHGGDsggd, xrefs: 001CAF05
                                                  • itergtdw11qyucgHGGDsggd, xrefs: 001CAEE1
                                                  • SeShutdownPrivilege, xrefs: 001CAF12
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value$CloseOpenProcessToken$AdjustCreateCurrentInitiateLookupPrivilegePrivilegesQueryShutdownSystem
                                                  • String ID: SeShutdownPrivilege$Windows critical error, require reboot$itergtdw11qyucgHGGDsggd$itergtdw11qyucgHGGDsggd
                                                  • API String ID: 159947062-3875966801
                                                  • Opcode ID: 16080c1c5cdaa24889b622817dcc6846524a35e78f1880efa73a9f5c9e3192bb
                                                  • Instruction ID: 16e2b05f600fffcc4d8bf51c2fb02baaea421ba5028207eede63a864aae9049c
                                                  • Opcode Fuzzy Hash: 16080c1c5cdaa24889b622817dcc6846524a35e78f1880efa73a9f5c9e3192bb
                                                  • Instruction Fuzzy Hash: 7FF054B4A81308B7EB10E7809C83F6D72649B70F18F50005CFB04661C2E7F1AB54969A
                                                  Function 0041D530 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 121sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(000003E8), ref: 0041D5E4
                                                    • Part of subcall function 00418F50: ApplyControlToken.SECUR32(?,?), ref: 00418FB5
                                                    • Part of subcall function 00418F50: InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00418FF9
                                                    • Part of subcall function 00418F50: DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00419025
                                                    • Part of subcall function 00418F50: FreeCredentialsHandle.SECUR32(?), ref: 0041902F
                                                  • Sleep.KERNEL32(0000000F), ref: 0041D659
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: ContextSecuritySleep$ApplyControlCredentialsDeleteFreeHandleInitializeToken
                                                  • String ID: %s:%d$cnc$VB
                                                  • API String ID: 3241915987-828167106
                                                  • Opcode ID: 0fa48a072d3ec19eebe29e7e9abd41d5b420f21d0b2af39aa1937f6bf170400d
                                                  • Instruction ID: d3c343e080fdf9df477e8df163302c9231212e4c6d6d62a7525c77efb55fb5b5
                                                  • Opcode Fuzzy Hash: 0fa48a072d3ec19eebe29e7e9abd41d5b420f21d0b2af39aa1937f6bf170400d
                                                  • Instruction Fuzzy Hash: 9441D6B5E00114ABC710DB99DC819EFB3B9EB84314F14416AFD09D7316D635ED81C7A9
                                                  Function 004116F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: strstr$lstrcmp
                                                  • String ID: bdns$block
                                                  • API String ID: 142677638-4143068083
                                                  • Opcode ID: 44575a9a35436960e6f7d31d0bfc83e7b8910bb28b9d9164c41d9efb5409f79f
                                                  • Instruction ID: b143bf56c1c29bfd74cdc83c00c0b699a97a32b984247d8aa5770a975194ad83
                                                  • Opcode Fuzzy Hash: 44575a9a35436960e6f7d31d0bfc83e7b8910bb28b9d9164c41d9efb5409f79f
                                                  • Instruction Fuzzy Hash: E2219C767002186B9B10DF49BC85EEB336DDB98721F04412BFD01D2351E678ED5186B9
                                                  Function 001C8C10 Relevance: 7.6, APIs: 6, Instructions: 69memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapAlloc.KERNEL32(?,00000008,00000314,?,?,001C82D6,?,?), ref: 001C8C2D
                                                  • lstrcpyA.KERNEL32(00000000,?,?,001C82D6,?,?), ref: 001C8C44
                                                  • lstrcpyA.KERNEL32(-00000105,001C82D6,?,001C82D6,?,?), ref: 001C8C5B
                                                  • HeapAlloc.KERNEL32(?,00000008,00000314,?,?,001C82D6,?,?), ref: 001C8C8C
                                                  • lstrcpyA.KERNEL32(?,?,?,001C82D6,?,?), ref: 001C8CBB
                                                  • lstrcpyA.KERNEL32(?,001C82D6,?,001C82D6,?,?), ref: 001C8CD1
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$AllocHeap
                                                  • String ID:
                                                  • API String ID: 333684582-0
                                                  • Opcode ID: e93bfc76f86dbd4b2e65451b09c94a7addba9a9cbb7f4ed2327d7e97d0e8bcab
                                                  • Instruction ID: 8eaa647ae8683e3617f7d1ae73e205d06a3ef1179959e0382cd1270dedf74823
                                                  • Opcode Fuzzy Hash: e93bfc76f86dbd4b2e65451b09c94a7addba9a9cbb7f4ed2327d7e97d0e8bcab
                                                  • Instruction Fuzzy Hash: BD318778600208EFC704CFA4C694E9ABBF5FB4D304F248698E9099B756C775EE81DB90
                                                  Function 00417E20 Relevance: 7.6, APIs: 5, Instructions: 65networkmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,0000103A), ref: 00417E2C
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 00417E63
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 00417E7A
                                                  • connect.WS2_32(?,00000008,00000010), ref: 00417E8B
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AllocLocalconnectioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 3721573447-0
                                                  • Opcode ID: 57233da19d0590c1fa75038d594e48892c63616abf31aa31dc2dd88c751d3a35
                                                  • Instruction ID: e59f8335dd763b65d5d723b0387274124b2f8086d4fbc8e230d628df9a640e9d
                                                  • Opcode Fuzzy Hash: 57233da19d0590c1fa75038d594e48892c63616abf31aa31dc2dd88c751d3a35
                                                  • Instruction Fuzzy Hash: 2A11D331B00314ABC730DF69D809AD6B7E8EF49724F00469AFA599B391D2B1A8918798
                                                  Function 0041E770 Relevance: 7.6, APIs: 5, Instructions: 50registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 0041E77C
                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000012,?), ref: 0041E793
                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0041E7B5
                                                  • RegNotifyChangeKeyValue.ADVAPI32(?,00000000,00000004,00000000,00000000), ref: 0041E7C3
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041E7D1
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Value$ChangeCloseNotifyOpenlstrlen
                                                  • String ID:
                                                  • API String ID: 2592630252-0
                                                  • Opcode ID: 6414d33234034251c86ff1f905e132d224f91f690f3adf42ab464c59768eaed1
                                                  • Instruction ID: cce8b9f682e32504db1f52322e9f9e9d1cc00135e4b379fffaf26ed29b19ece3
                                                  • Opcode Fuzzy Hash: 6414d33234034251c86ff1f905e132d224f91f690f3adf42ab464c59768eaed1
                                                  • Instruction Fuzzy Hash: B8011A79340304BFE730CF65DC89F9777ACEB98B50F508419BA499B690D674E8418B68
                                                  Function 00417700 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041771E
                                                  • _snprintf.MSVCRT ref: 00417738
                                                  • lstrlenA.KERNEL32(00000000), ref: 00417747
                                                    • Part of subcall function 00414900: WaitForSingleObject.KERNEL32(00417495,000000FF,?,00000000,771B0440,?,00417495), ref: 00414939
                                                    • Part of subcall function 00414900: ReleaseMutex.KERNEL32(?,?,00417495), ref: 0041497C
                                                  • lstrcmpA.KERNEL32(00000000,00421A30), ref: 0041777F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: MutexObjectReleaseSingleWait_snprintflstrcmplstrlenmemset
                                                  • String ID: state_%s
                                                  • API String ID: 1716770999-3670522127
                                                  • Opcode ID: 6aef773de407e19fe1728e5c437f861b7933faf097a7e17e2954be34da455ebf
                                                  • Instruction ID: 3d67892c2c79d93b49b69c2ff7ef1777f0fb86ab8db6def76cd81374c4c7f957
                                                  • Opcode Fuzzy Hash: 6aef773de407e19fe1728e5c437f861b7933faf097a7e17e2954be34da455ebf
                                                  • Instruction Fuzzy Hash: 18012BF5A503186BDB10F6A0DD0BFF973BC8B54704F4045E5B618D2082F6745A544A98
                                                  Function 004150F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 0041510F
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 00415122
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041512B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                  • String ID: %s-comm
                                                  • API String ID: 3057366584-1028030816
                                                  • Opcode ID: 2b16997be99c4fd35858be06b2413f83450a5a9e556022cea55095eddf0b741e
                                                  • Instruction ID: 9d8c5efef669063a70255c0791701952cfe6562c4c609ff8d34c0836104b0918
                                                  • Opcode Fuzzy Hash: 2b16997be99c4fd35858be06b2413f83450a5a9e556022cea55095eddf0b741e
                                                  • Instruction Fuzzy Hash: CB21FC71A80204FBD714DB91DC42FDB3328A794716F14099AF90493193E77CDE94CBA9
                                                  Function 001CB3B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000001,00000000,001C9377), ref: 001CB3D6
                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 001CB3FF
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CB422
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 001CB3CC
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseOpenQueryValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 3677997916-3596387974
                                                  • Opcode ID: 341589ccfa29a2977b190d6ea6e06911f492789cee4489cfcd61e220ffef1855
                                                  • Instruction ID: 0dc5ffaee0d6bcc8a9619c37e9ed681e82f0a2474be47fe2e481a38e95da3ea6
                                                  • Opcode Fuzzy Hash: 341589ccfa29a2977b190d6ea6e06911f492789cee4489cfcd61e220ffef1855
                                                  • Instruction Fuzzy Hash: 3E011AB5944208FBDB04CFD4C889FEEBBB8EB04305F108098FA11A7281C7B49A84CF91
                                                  Function 001CB2D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 001CB300
                                                  • RegSetValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 001CB322
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CB32C
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 001CB2F6
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 1818849710-3596387974
                                                  • Opcode ID: 4de7295c7a57de711cf727513fb2ebaaf1b5b6573ed8c5327f28e50b95d5267c
                                                  • Instruction ID: 98734ca2e2932d8bf6b75ef5a77e755e05bf6cf581253424a109575194cfa22d
                                                  • Opcode Fuzzy Hash: 4de7295c7a57de711cf727513fb2ebaaf1b5b6573ed8c5327f28e50b95d5267c
                                                  • Instruction Fuzzy Hash: 87F0FF75640208BBDB14CFD4DC4AFDE7B78BB48701F604148F605A72D0D7B4AA94CBA5
                                                  Function 00415070 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 0041508F
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 004150A2
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004150AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                  • String ID: %s-pid
                                                  • API String ID: 3057366584-2694366501
                                                  • Opcode ID: 75a25227df47573dc43d41828af44dd0b61cc33b7be48a697f0f311f537161c3
                                                  • Instruction ID: 727c1864f9f7d798c5309510a2fdf239e0af8447df984e26659cf78029feb901
                                                  • Opcode Fuzzy Hash: 75a25227df47573dc43d41828af44dd0b61cc33b7be48a697f0f311f537161c3
                                                  • Instruction Fuzzy Hash: 92F059B4B40304A7EB20A7B09C8BFD732589360711F500677F604A11D1EAF885C086ED
                                                  Function 001CAFB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDesktopWindow.USER32 ref: 001CAFC4
                                                  • FindWindowExA.USER32(00000000,00000000,Progman,00000000), ref: 001CAFE0
                                                  • Sleep.KERNEL32(000001F4), ref: 001CAFF1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Window$DesktopFindSleep
                                                  • String ID: Progman
                                                  • API String ID: 2752603811-3542350831
                                                  • Opcode ID: 719aaca014ddbe938ddccd338175292346e26e56cd734e8311357c6d7686303c
                                                  • Instruction ID: b6fe2a59da96c50c254edd58c6abcf281328fb823807ca41102bcab1e1ae10ac
                                                  • Opcode Fuzzy Hash: 719aaca014ddbe938ddccd338175292346e26e56cd734e8311357c6d7686303c
                                                  • Instruction Fuzzy Hash: E8E0EDB4684308FBE714DBE09D09FAE7ABC9F1070AF20005CBA06922C1CB70CD80C6A2
                                                  Function 001CB4A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(80000001,Software\WindowsId Manager Reader,00000000,00000002,00000000), ref: 001CB4BD
                                                  • RegDeleteValueA.ADVAPI32(00000000,?), ref: 001CB4D1
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 001CB4DB
                                                  Strings
                                                  • Software\WindowsId Manager Reader, xrefs: 001CB4B3
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteOpenValue
                                                  • String ID: Software\WindowsId Manager Reader
                                                  • API String ID: 849931509-3596387974
                                                  • Opcode ID: dcf5075200ebfcf79fe591688db8fb2a6a3f142fa433bca7f015860cf95feb6a
                                                  • Instruction ID: 014b8da1a6a012f78b9f968e970ac0b2b245e445900b04b8fb9d192be002c6be
                                                  • Opcode Fuzzy Hash: dcf5075200ebfcf79fe591688db8fb2a6a3f142fa433bca7f015860cf95feb6a
                                                  • Instruction Fuzzy Hash: 26E06D74584208FBD710CBC0DD49FDD7BB8EB08301F204048BA05E2181C7709E90DB64
                                                  Function 0041D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417700: memset.MSVCRT ref: 0041771E
                                                    • Part of subcall function 00417700: _snprintf.MSVCRT ref: 00417738
                                                    • Part of subcall function 00417700: lstrlenA.KERNEL32(00000000), ref: 00417747
                                                  • Sleep.KERNEL32(00001388), ref: 0041D78A
                                                  • Sleep.KERNEL32(00002710), ref: 0041D795
                                                  • ExitProcess.KERNEL32 ref: 0041D799
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Sleep$ExitProcess_snprintflstrlenmemset
                                                  • String ID: bsod
                                                  • API String ID: 706155222-1315366068
                                                  • Opcode ID: 5d15d651c27175f04d5e74fd462e8a427f82b2033266bee5f332dd62e735eea4
                                                  • Instruction ID: 77945980bc6db91f5e61c21e4dd429644bb3d735a904765c80cd89053ab86d4d
                                                  • Opcode Fuzzy Hash: 5d15d651c27175f04d5e74fd462e8a427f82b2033266bee5f332dd62e735eea4
                                                  • Instruction Fuzzy Hash: DDD0A7B5E8523463E33223751C0EF9B58309F50F61F970222F915AB5E4899829C384EE
                                                  Function 0041E840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417330: memset.MSVCRT ref: 00417351
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(?), ref: 00417369
                                                    • Part of subcall function 00417330: _snprintf.MSVCRT ref: 00417381
                                                    • Part of subcall function 00417330: _vsnprintf.MSVCRT ref: 004173A3
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(00000000), ref: 004173B2
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D760,00000000,00000000,00000000), ref: 0041E861
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041E868
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CloseCreateHandleThread_snprintf_vsnprintfmemset
                                                  • String ID: admin$isadmin
                                                  • API String ID: 3136305548-1977506819
                                                  • Opcode ID: 4719de677a310cf572529e5f930f1408297f636e65a04a0482a884508c1c4066
                                                  • Instruction ID: f2d1b7bd4f19270c633057c07a56440c1725f18d6cb9a49d4eae8900d47c49f1
                                                  • Opcode Fuzzy Hash: 4719de677a310cf572529e5f930f1408297f636e65a04a0482a884508c1c4066
                                                  • Instruction Fuzzy Hash: 46D012757C431476F13023A16E0FF0921541B34F07FB04422BB01BA0E1D5E83090457D
                                                  Function 00412880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00412460: GetProcessHeap.KERNEL32(?,004120DE,?), ref: 0041246C
                                                    • Part of subcall function 00412460: HeapAlloc.KERNEL32(?,00000008,004120DE,?,004120DE,?), ref: 0041247E
                                                  • inet_addr.WS2_32(?), ref: 004128BE
                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 00412939
                                                  • _stricmp.MSVCRT(?,?,?), ref: 0041294E
                                                  • DnsFree.DNSAPI(?,00000001), ref: 004129D9
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                  • String ID:
                                                  • API String ID: 3002912770-0
                                                  • Opcode ID: 363f4bd2be198c592dfc01c977ecb9d3ff8234a4c6fb6eadd7cbf4809d80c790
                                                  • Instruction ID: da2cf2d48f069cdacf26715935eb5528d482ded086d75bb85a9c66e966474dbf
                                                  • Opcode Fuzzy Hash: 363f4bd2be198c592dfc01c977ecb9d3ff8234a4c6fb6eadd7cbf4809d80c790
                                                  • Instruction Fuzzy Hash: DC51B2B07002049FD720DF59DA81BAAB3B1FF85704F20445EE589DB381E7B9ADA1CB95
                                                  Function 001C9CE0 Relevance: 6.2, APIs: 4, Instructions: 155stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,001C9B36), ref: 001C9D09
                                                  • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,001C9B36,?,?,?,?,?,001C9B36), ref: 001C9E9F
                                                  • StrChrA.SHLWAPI(?,00000025,?,?,?,?,?,001C9B36), ref: 001C9EB4
                                                  • lstrcatA.KERNEL32(001C9B36,?,?,?,?,?,?,001C9B36), ref: 001C9ED8
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FolderPathlstrcatlstrlen
                                                  • String ID:
                                                  • API String ID: 4208654703-0
                                                  • Opcode ID: e5ed4507be77ceae89499d3a5025124c58d77ad3cdf92f391f9dd4269e824d4b
                                                  • Instruction ID: 882218f14dbaa349e0c2e62d01ebbeae4b2aedca4e471040ff2b154417290488
                                                  • Opcode Fuzzy Hash: e5ed4507be77ceae89499d3a5025124c58d77ad3cdf92f391f9dd4269e824d4b
                                                  • Instruction Fuzzy Hash: 4171F3B4D00209EFCB08CF94C498BAEBBB1FB65305F24819DD5126B250D3359B81DF91
                                                  Function 00418F50 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ApplyControlToken.SECUR32(?,?), ref: 00418FB5
                                                  • InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00418FF9
                                                  • DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 00419025
                                                  • FreeCredentialsHandle.SECUR32(?), ref: 0041902F
                                                    • Part of subcall function 00418760: FreeContextBuffer.SECUR32(?), ref: 00418774
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Context$FreeSecurity$ApplyBufferControlCredentialsDeleteHandleInitializeToken
                                                  • String ID:
                                                  • API String ID: 362823901-0
                                                  • Opcode ID: f4a55a55830c0ed390ffd79657fbbaedaab9f3e8fe4b3ec81955d1a4fd926c8e
                                                  • Instruction ID: 370ab60b4b5f9542497513ed2831f101adc94d93f7db2f387ec11969fcd94369
                                                  • Opcode Fuzzy Hash: f4a55a55830c0ed390ffd79657fbbaedaab9f3e8fe4b3ec81955d1a4fd926c8e
                                                  • Instruction Fuzzy Hash: 2941E9B1D00209ABCB10DF9AC9859EEFBF8FF98304F50454EE115B3211D7B9AA458B64
                                                  Function 00414900 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00417495,000000FF,?,00000000,771B0440,?,00417495), ref: 00414939
                                                  • ReleaseMutex.KERNEL32(?,?,00417495), ref: 0041497C
                                                  • ReleaseMutex.KERNEL32(-0000FFFF,?,00417495), ref: 004149A5
                                                  • ReleaseMutex.KERNEL32(00417495,?,00417495), ref: 004149D1
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: MutexRelease$ObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 257779224-0
                                                  • Opcode ID: 0e987a91006c13fa974ce0e76a149b04aad47eb168e1eb4f0b6ce9d2d44220ab
                                                  • Instruction ID: 78ce1fdb4f76d23b9aecacc0d229c404acbfbd51e1f143a8bf596869ecd43eae
                                                  • Opcode Fuzzy Hash: 0e987a91006c13fa974ce0e76a149b04aad47eb168e1eb4f0b6ce9d2d44220ab
                                                  • Instruction Fuzzy Hash: 1A2171B12102068BDB209F75E8547E773A8FFC0365B19456BE588C7350DB78DC91CB98
                                                  Function 004149F0 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,004173CC,00447C98,00000000,00000000,00000010,00000000), ref: 00414A10
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 00414A77
                                                  • ReleaseMutex.KERNEL32(?,?,?,00000000), ref: 00414AA9
                                                  • ReleaseMutex.KERNEL32(?,00000000), ref: 00414ABC
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: MutexRelease$ObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 257779224-0
                                                  • Opcode ID: ded7486340291b50e07dd4f92b6441ebf0c6f708f1e19b3133313f4229cf8493
                                                  • Instruction ID: bcbbc296d6a11d8d229eed2f8fd7af352fbba71c06e0ab77bdc21d484a026a36
                                                  • Opcode Fuzzy Hash: ded7486340291b50e07dd4f92b6441ebf0c6f708f1e19b3133313f4229cf8493
                                                  • Instruction Fuzzy Hash: 192160762442055BDB10DE69EC806EB73A9AFC07A471A452BF85887350EB39DD8286AC
                                                  Function 004111C0 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004111E1
                                                  • GetFileAttributesA.KERNEL32(?), ref: 00411201
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 00411241
                                                  • ExitThread.KERNEL32 ref: 00411261
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AttributesByteCharExitFileMultiThreadWidememset
                                                  • String ID:
                                                  • API String ID: 1389112251-0
                                                  • Opcode ID: da213b5b0d0f22654e4c6dac96fbf60eb2fcd573ef57f724f8cd6be190515d0b
                                                  • Instruction ID: bae09b584f330cfc9b91bb393ad624bd93949e4e0951d857d19f10f09a27d6ea
                                                  • Opcode Fuzzy Hash: da213b5b0d0f22654e4c6dac96fbf60eb2fcd573ef57f724f8cd6be190515d0b
                                                  • Instruction Fuzzy Hash: 29218B76200208ABDB20DF55EC49FEB3778EF88711F004259FE1993291DB34AC61CBA8
                                                  Function 0041D6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0041D6FD
                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0041D731
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041D740
                                                  • RegCloseKey.ADVAPI32(?), ref: 0041D753
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateValue
                                                  • String ID:
                                                  • API String ID: 1009429713-0
                                                  • Opcode ID: 084137dd316cefa5bab81ce4259d73e3a291ced7d63e16b0509bb3efc5efe452
                                                  • Instruction ID: 9faabb446b1b27174bd4e89449006a29b4a2cab97d93260a5b70c16f141618ea
                                                  • Opcode Fuzzy Hash: 084137dd316cefa5bab81ce4259d73e3a291ced7d63e16b0509bb3efc5efe452
                                                  • Instruction Fuzzy Hash: 3A213075740209BBDB24CF94DC46FEB7378EB88B44F104154FA05AB2D4E674FA4197A8
                                                  Function 001CB6D0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001CB723
                                                  • LookupAccountSidW.ADVAPI32(00000000,00000000,?,00000101,?,00000010,?), ref: 001CB74F
                                                  • FreeSid.ADVAPI32(00000000,00000000,?,00000003,?,00000001), ref: 001CB77D
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: AccountAllocateFreeInitializeLookup
                                                  • String ID:
                                                  • API String ID: 1191408634-0
                                                  • Opcode ID: 4a0ac3178b41e64e093f116c5e3d157b130dfd6ff5e5df4c5c23a88abaa65054
                                                  • Instruction ID: 494266eae9c9a227342b0ab349336547dedfb1b415b2de3dd24730ad3dcf019b
                                                  • Opcode Fuzzy Hash: 4a0ac3178b41e64e093f116c5e3d157b130dfd6ff5e5df4c5c23a88abaa65054
                                                  • Instruction Fuzzy Hash: 38215171944248FAEB00DBD4DC99FEEBBB8AB54704F04418DF605AA1C1D7B59688CBA1
                                                  Function 00417EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: FreeLocal$closesocket
                                                  • String ID:
                                                  • API String ID: 1824021853-0
                                                  • Opcode ID: 2d1d443de8ee5940006318da9531b8486dd41f8124801771e2220e379c3a0512
                                                  • Instruction ID: 03ee2e20189498afa02da180e078afd4ce9e603253e673bf77af879fb029f646
                                                  • Opcode Fuzzy Hash: 2d1d443de8ee5940006318da9531b8486dd41f8124801771e2220e379c3a0512
                                                  • Instruction Fuzzy Hash: 44015A327442149FC721DF59E8848ABB3A9FF8976535404BAF649CB310C735EC82CBA8
                                                  Function 0041A800 Relevance: 6.0, APIs: 4, Instructions: 49stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: strchr$CountSleepTick
                                                  • String ID:
                                                  • API String ID: 735077530-0
                                                  • Opcode ID: f6f80e06f5b278e9a94b6bae8f1ee8e27a0be809b034c927a3dce2808e612697
                                                  • Instruction ID: 8a35029c45542c6a1914408930e0c118419e4c296960a8c4f8cc60f1120c9b66
                                                  • Opcode Fuzzy Hash: f6f80e06f5b278e9a94b6bae8f1ee8e27a0be809b034c927a3dce2808e612697
                                                  • Instruction Fuzzy Hash: 35F0F97A34120057D710B7A6AC86ADA739ADBC8766F44042AFA0987302E97D9D5341BA
                                                  Function 0041A790 Relevance: 6.0, APIs: 4, Instructions: 44stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: strchr$CountSleepTick
                                                  • String ID:
                                                  • API String ID: 735077530-0
                                                  • Opcode ID: dedb7fdd4847748964c7a402f0a4ddb0d30b49e09978f55252b62374c173f12c
                                                  • Instruction ID: 6455ef1b3d3a41050e6e468883928841579f34d77c6d4fcf2e5a5b5a8efb9052
                                                  • Opcode Fuzzy Hash: dedb7fdd4847748964c7a402f0a4ddb0d30b49e09978f55252b62374c173f12c
                                                  • Instruction Fuzzy Hash: F2F04672A011212BC2306666EC82ACBB3DCDB84762F040576FA049B352E56C9E9681FA
                                                  Function 0041A080 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041A0A2
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0041A0C0
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041A0CB
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041A0D8
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateWrite
                                                  • String ID:
                                                  • API String ID: 3602564925-0
                                                  • Opcode ID: 72c9fae4c59f87e8da546e17bfa106dee459f40d228dd41674ca13d16ac004c7
                                                  • Instruction ID: 507c89accfbc8bf792299fd522fdc7a633b4902006533fc13dcd46000ab38972
                                                  • Opcode Fuzzy Hash: 72c9fae4c59f87e8da546e17bfa106dee459f40d228dd41674ca13d16ac004c7
                                                  • Instruction Fuzzy Hash: B3F0C271301204BBE3209F98EC09FEB37A8EB4C760F000254FE09D72D0D6706D1187A9
                                                  Function 00420880 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00414900: WaitForSingleObject.KERNEL32(00417495,000000FF,?,00000000,771B0440,?,00417495), ref: 00414939
                                                    • Part of subcall function 00414900: ReleaseMutex.KERNEL32(?,?,00417495), ref: 0041497C
                                                  • lstrlenA.KERNEL32(00000000,00000000,%s.p10-> Message to %s hijacked!,msn), ref: 004208B1
                                                    • Part of subcall function 00417330: memset.MSVCRT ref: 00417351
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(?), ref: 00417369
                                                    • Part of subcall function 00417330: _snprintf.MSVCRT ref: 00417381
                                                    • Part of subcall function 00417330: _vsnprintf.MSVCRT ref: 004173A3
                                                    • Part of subcall function 00417330: lstrlenA.KERNEL32(00000000), ref: 004173B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$MutexObjectReleaseSingleWait_snprintf_vsnprintfmemset
                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                  • API String ID: 1310428588-4225137719
                                                  • Opcode ID: b45dbc44d7c8c40fca0a8f6534ef9502c880ef0b4195ac01d8eafab9c048bd6d
                                                  • Instruction ID: 0c2aa617fd858fbec6a3b9f5e2ffbbaff5819af17a6339831ad932adf9456c80
                                                  • Opcode Fuzzy Hash: b45dbc44d7c8c40fca0a8f6534ef9502c880ef0b4195ac01d8eafab9c048bd6d
                                                  • Instruction Fuzzy Hash: E8F0E972B4112836E22075957C02FEB765CC741725F500167FD08E6242D99D5A1142E9
                                                  Function 00420820 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00414900: WaitForSingleObject.KERNEL32(00417495,000000FF,?,00000000,771B0440,?,00417495), ref: 00414939
                                                    • Part of subcall function 00414900: ReleaseMutex.KERNEL32(?,?,00417495), ref: 0041497C
                                                  • lstrlenA.KERNEL32(00000000,?,?,00412696), ref: 0042084B
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417401
                                                    • Part of subcall function 004173E0: memset.MSVCRT ref: 00417419
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 00417431
                                                    • Part of subcall function 004173E0: _snprintf.MSVCRT ref: 00417449
                                                    • Part of subcall function 004173E0: _vsnprintf.MSVCRT ref: 0041746B
                                                    • Part of subcall function 004173E0: lstrlenA.KERNEL32(?), ref: 0041747A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$MutexObjectReleaseSingleWait_snprintf_vsnprintf
                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                  • API String ID: 3682388603-4225137719
                                                  • Opcode ID: a5ad904f7859e69c8529e0ff6572235064765705bbdcd77236808e52a8394cf5
                                                  • Instruction ID: 02e105caca2b4e44852c6e81c9c1f5ac96728c95c8a2349f227af4d2cf1e628d
                                                  • Opcode Fuzzy Hash: a5ad904f7859e69c8529e0ff6572235064765705bbdcd77236808e52a8394cf5
                                                  • Instruction Fuzzy Hash: 57F0A772B9513C36E620BAA57C03FFB769CCB01755F900197FD08E6282E9DD5A1142E9
                                                  Function 0041B990 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041B9AF
                                                  • EnterCriticalSection.KERNEL32(0045A6C8,?,?,00000000), ref: 0041B9BC
                                                  • wvsprintfA.USER32(00000000,?,00000000), ref: 0041B9D1
                                                    • Part of subcall function 00418B30: memset.MSVCRT ref: 00418B6E
                                                  • LeaveCriticalSection.KERNEL32(0045A6C8,?,?,?,?,?,00000000), ref: 0041B9F2
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CriticalSectionmemset$EnterLeavewvsprintf
                                                  • String ID:
                                                  • API String ID: 2410102678-0
                                                  • Opcode ID: e55e9ff60cc5b993649d0e92c76b9b55505910be26946af20f3222ba3fb77fa6
                                                  • Instruction ID: a61ea07655d25f139fe794ef3648a5fc359c7cce2f05440f6dd7ccfdbde88326
                                                  • Opcode Fuzzy Hash: e55e9ff60cc5b993649d0e92c76b9b55505910be26946af20f3222ba3fb77fa6
                                                  • Instruction Fuzzy Hash: 57F021B5E001186FC720EB54DC05FFA376CEF08705F0441A9FF08A2141E6746A158BAD
                                                  Function 0041E990 Relevance: 6.0, APIs: 4, Instructions: 31sleepsynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000DD20,00000000,00000000,00000000), ref: 0041E9BF
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041E9C6
                                                  • CloseHandle.KERNEL32(00000000), ref: 0041E9C9
                                                  • Sleep.KERNEL32(0000EA60), ref: 0041E9D4
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                                  • String ID:
                                                  • API String ID: 422747524-0
                                                  • Opcode ID: 8371ea88c227a6cb94f4a4388fba4325f38ab26c435d7b9b91ad17e9a8919b20
                                                  • Instruction ID: 321ed048175cc181745d386fa01cc4ceb7442db2ce1d13eab5ef78ef5ceef2c1
                                                  • Opcode Fuzzy Hash: 8371ea88c227a6cb94f4a4388fba4325f38ab26c435d7b9b91ad17e9a8919b20
                                                  • Instruction Fuzzy Hash: E6F0E571341210BBE3305749AC46FAA7358EB59721F710032F300A62F086B429C28AAD
                                                  Function 001C4CE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001C4D0F
                                                  • GetTickCount.KERNEL32 ref: 001C4D6D
                                                  Strings
                                                  • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890123456789, xrefs: 001C4D1A
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2507919906.00000000001C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 001C0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_1c0000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CountInformationTickVolume
                                                  • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890123456789
                                                  • API String ID: 1021880723-3397549705
                                                  • Opcode ID: 170681b8270e5e4b788c35070dc5760e271d4cb7261096dcc51417d3ac3e30af
                                                  • Instruction ID: c7603861b618e61aef9d75cf15ccf0ad4dc32e551027c8d3fac1c34694d1f27f
                                                  • Opcode Fuzzy Hash: 170681b8270e5e4b788c35070dc5760e271d4cb7261096dcc51417d3ac3e30af
                                                  • Instruction Fuzzy Hash: FA114830F08284A7EB04EBE49C12FAE7B79AB35700F24401DFA16AF285C7B4E505C762
                                                  Function 0041BA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041BA1E
                                                  • wvsprintfA.USER32(00000000,00000000,00000000), ref: 0041BA42
                                                    • Part of subcall function 0041B990: memset.MSVCRT ref: 0041B9AF
                                                    • Part of subcall function 0041B990: EnterCriticalSection.KERNEL32(0045A6C8,?,?,00000000), ref: 0041B9BC
                                                    • Part of subcall function 0041B990: wvsprintfA.USER32(00000000,?,00000000), ref: 0041B9D1
                                                    • Part of subcall function 0041B990: LeaveCriticalSection.KERNEL32(0045A6C8,?,?,?,?,?,00000000), ref: 0041B9F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: CriticalSectionmemsetwvsprintf$EnterLeave
                                                  • String ID: PPPPMSG %s :%s
                                                  • API String ID: 3980427996-569775469
                                                  • Opcode ID: 3756e546bdf30e7bc110ec52c1ec6d2973ae0b598b60101236ead675a370a58f
                                                  • Instruction ID: 646000b4ebba3625463f9e9a6f3c7e9441b0af9b8fd3b14e8a3b1f872cd49ae4
                                                  • Opcode Fuzzy Hash: 3756e546bdf30e7bc110ec52c1ec6d2973ae0b598b60101236ead675a370a58f
                                                  • Instruction Fuzzy Hash: 31F096B190020DABDB10EA54DC45FA63378FB44704F4081AAB90857241FB74AA498FE5
                                                  Function 00419300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000010.00000002.2522631223.0000000000410000.00000040.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_16_2_410000_svchost.jbxd
                                                  Similarity
                                                  • API ID: gethostbynameinet_addr
                                                  • String ID: n"A
                                                  • API String ID: 1594361348-459343902
                                                  • Opcode ID: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                  • Instruction ID: 1b2519576034a67a24321d6c24fd3ff8fa693c524ef56efaf085d6adbbac869e
                                                  • Opcode Fuzzy Hash: 0dc712adc4df25350ee7766ec22a98ef040dde3b90c5f692ddb856f0b3388dda
                                                  • Instruction Fuzzy Hash: 9ED05B317005285B4A10A669F4508DA73DCDE4E3787454157FE2CC77A3C725AC8056D9

                                                  Execution Graph

                                                  Execution Coverage:4.6%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:236
                                                  Total number of Limit Nodes:10
                                                  execution_graph 5518 3070e8c CreateMutexA 5519 3070ec1 LoadLibraryA 5518->5519 5521 3070f1f LoadLibraryA 5519->5521 5522 3070f47 Sleep CreateFileA 5521->5522 5524 3070ff4 5522->5524 5525 3071099 FindCloseChangeNotification 5522->5525 5526 3071006 5524->5526 5527 3071082 WriteFile 5524->5527 5528 30710b1 5525->5528 5526->5525 5527->5525 5253 3095040 5254 309504c 5253->5254 5255 3095060 5253->5255 5254->5255 5257 3094e90 5254->5257 5258 3095031 5257->5258 5259 3094ea2 5257->5259 5258->5255 5259->5258 5262 3094fa8 5259->5262 5266 3093750 5259->5266 5270 3093440 5259->5270 5289 3092f90 5259->5289 5300 3096080 5262->5300 5267 3093760 LdrGetProcedureAddress 5266->5267 5268 3093784 LdrGetProcedureAddress 5266->5268 5267->5259 5268->5259 5271 309359f 5270->5271 5275 3093451 5270->5275 5271->5259 5272 309348c printf printf 5276 30934c2 5272->5276 5277 30934c7 printf 5272->5277 5274 309355a 5284 3093593 5274->5284 5312 3093320 5274->5312 5275->5271 5275->5272 5275->5274 5276->5277 5304 30935d0 5277->5304 5280 30934f1 NtAllocateVirtualMemory 5280->5271 5283 3093500 5280->5283 5283->5271 5305 3093100 5283->5305 5284->5259 5286 309354a 5287 3093440 6 API calls 5286->5287 5288 3093551 5287->5288 5288->5259 5290 3092fa2 5289->5290 5291 3093074 5289->5291 5290->5291 5292 3092fc2 ReadProcessMemory 5290->5292 5291->5259 5293 3092fe0 5292->5293 5299 3093059 5292->5299 5294 3093004 WriteProcessMemory 5293->5294 5293->5299 5295 3093022 5294->5295 5294->5299 5296 3093028 WriteProcessMemory 5295->5296 5295->5299 5297 309303c 5296->5297 5296->5299 5298 3093044 WriteProcessMemory 5297->5298 5297->5299 5298->5299 5299->5259 5302 309608e 5300->5302 5303 3095022 5300->5303 5301 3093440 10 API calls 5301->5302 5302->5301 5302->5303 5303->5255 5304->5280 5306 309310c 5305->5306 5307 3093161 5305->5307 5306->5307 5308 3093119 EnterCriticalSection 5306->5308 5309 3093123 5306->5309 5307->5286 5308->5309 5310 3093158 5309->5310 5311 309314e LeaveCriticalSection 5309->5311 5310->5286 5311->5310 5313 3093332 5312->5313 5314 3093385 5312->5314 5313->5314 5315 309333c EnterCriticalSection 5313->5315 5316 3093346 5313->5316 5318 30931d0 5314->5318 5315->5316 5316->5314 5317 309337b LeaveCriticalSection 5316->5317 5317->5314 5319 30931dc 5318->5319 5320 3093230 5318->5320 5319->5320 5321 30931e9 EnterCriticalSection 5319->5321 5322 30931f3 5319->5322 5320->5284 5321->5322 5323 309321d LeaveCriticalSection 5322->5323 5324 3093227 5322->5324 5323->5324 5324->5284 5325 3095c50 5333 3095a20 5325->5333 5327 3095c67 5328 3095c7f NtQueryInformationProcess 5327->5328 5329 3095cd8 5328->5329 5330 3095c8a 5328->5330 5350 30949f0 5330->5350 5332 3095cc6 5334 3095a2b 5333->5334 5335 3095c46 5334->5335 5368 3093a20 5334->5368 5335->5327 5337 3095ae5 5378 3094d00 5337->5378 5339 3095aef LdrEnumerateLoadedModules 5405 3093080 5339->5405 5342 3095b31 5343 3093080 9 API calls 5342->5343 5344 3095b4f 5343->5344 5346 3095bf4 CreateThread CloseHandle 5344->5346 5347 3095c0c 5344->5347 5345 3095a3c 5345->5335 5345->5337 5349 3093750 2 API calls 5345->5349 5373 3093920 5345->5373 5346->5347 5347->5335 5348 3095c2e CreateThread CloseHandle 5347->5348 5348->5335 5349->5345 5351 3094acb 5350->5351 5352 3094a00 5350->5352 5351->5332 5352->5351 5353 3094a0b WaitForSingleObject 5352->5353 5353->5351 5354 3094a1e 5353->5354 5355 3094560 8 API calls 5354->5355 5357 3094a42 5355->5357 5356 3094a79 5356->5332 5357->5356 5358 3094aad ReleaseMutex 5357->5358 5510 30947c0 5357->5510 5362 3094470 4 API calls 5358->5362 5361 3094a6d 5363 3094a80 5361->5363 5364 3094a74 ReleaseMutex 5361->5364 5365 3094ac6 5362->5365 5366 3094470 4 API calls 5363->5366 5364->5356 5365->5332 5367 3094a88 ReleaseMutex 5366->5367 5367->5358 5370 3093a25 5368->5370 5369 3093a2d 5369->5345 5370->5369 5413 30935b0 GetPEB 5370->5413 5372 3093a44 5372->5345 5414 3093670 5373->5414 5376 309396c 5376->5345 5377 3093974 LdrLoadDll 5377->5345 5380 3094d0e 5378->5380 5379 3094d16 5379->5339 5380->5379 5381 3093a20 GetPEB 5380->5381 5382 3094d33 5381->5382 5383 3094d3d GetVersionExA 5382->5383 5384 3094d37 5382->5384 5383->5384 5385 3094d56 5383->5385 5384->5339 5416 3093f90 5385->5416 5387 3094d5c 5426 3093390 5387->5426 5389 3094d7e 5435 3094ae0 5389->5435 5391 3094d9b 5459 3093ac0 5391->5459 5393 3094da6 strncpy 5463 30935d0 5393->5463 5395 3094dd0 NtQueryInformationProcess 5396 3094ddc 5395->5396 5397 3094dee 5395->5397 5398 3093440 10 API calls 5396->5398 5464 3093890 5397->5464 5398->5397 5400 3094e67 5401 3093750 2 API calls 5400->5401 5402 3094e6d 5401->5402 5472 3094c20 5402->5472 5404 3094e7e 5404->5339 5406 3093890 3 API calls 5405->5406 5407 309308c 5406->5407 5408 30930bb 5407->5408 5409 3093750 2 API calls 5407->5409 5408->5342 5410 309309a 5409->5410 5410->5408 5411 3092f90 4 API calls 5410->5411 5412 30930b6 5411->5412 5412->5342 5413->5372 5415 309367c RtlAnsiStringToUnicodeString 5414->5415 5415->5376 5415->5377 5417 3093f9f 5416->5417 5420 3093fa6 5416->5420 5418 3093890 3 API calls 5417->5418 5418->5420 5419 3094018 5419->5387 5420->5419 5421 3093890 3 API calls 5420->5421 5422 3093fd1 5421->5422 5423 3093750 2 API calls 5422->5423 5424 3093fd7 5423->5424 5424->5419 5425 3094003 GetNativeSystemInfo 5424->5425 5425->5419 5427 309339b 5426->5427 5428 30933a0 5426->5428 5427->5389 5481 30930c0 5428->5481 5431 30930c0 InitializeCriticalSection 5433 30933c3 5431->5433 5432 309342e 5432->5389 5433->5432 5434 30931d0 2 API calls 5433->5434 5434->5432 5436 3094b54 5435->5436 5437 3094af2 5435->5437 5436->5391 5437->5436 5438 3094b0d strncpy sprintf CreateMutexA 5437->5438 5439 3094b4b 5438->5439 5440 3094b5c _snprintf OpenFileMappingA 5438->5440 5491 3094880 5439->5491 5441 3094b9d 5440->5441 5442 3094b96 FindCloseChangeNotification 5440->5442 5444 3094ba1 5441->5444 5445 3094bb4 5441->5445 5442->5441 5500 3094560 5444->5500 5485 3094470 5445->5485 5446 3094b51 5446->5436 5449 3094bad 5449->5445 5451 3094bd1 5449->5451 5450 3094bbc 5452 3094bc8 5450->5452 5453 3094bda 5450->5453 5451->5391 5454 3094880 3 API calls 5452->5454 5455 3094c08 5453->5455 5456 3094bde WaitForSingleObject 5453->5456 5457 3094bce 5454->5457 5455->5391 5456->5455 5458 3094bed ReleaseMutex 5456->5458 5457->5451 5458->5455 5460 3093acc 5459->5460 5461 3093b10 5459->5461 5460->5461 5462 3093ae0 _snprintf 5460->5462 5461->5393 5462->5393 5463->5395 5465 30938a0 5464->5465 5466 30938ae 5464->5466 5508 30935b0 GetPEB 5465->5508 5468 30938c0 RtlAnsiStringToUnicodeString 5466->5468 5470 30938ee 5468->5470 5471 30938f6 LdrGetDllHandle 5468->5471 5469 30938a5 5469->5400 5470->5400 5471->5400 5509 30935d0 5472->5509 5474 3094c31 OpenProcessToken 5475 3094c48 LookupPrivilegeValueA 5474->5475 5476 3094c3c GetLastError 5474->5476 5477 3094c5c GetLastError CloseHandle 5475->5477 5478 3094c72 AdjustTokenPrivileges 5475->5478 5476->5404 5477->5404 5479 3094ca9 FindCloseChangeNotification 5478->5479 5480 3094ca3 GetLastError 5478->5480 5479->5404 5480->5479 5482 30930cb 5481->5482 5483 30930f1 5481->5483 5482->5483 5484 30930e7 InitializeCriticalSection 5482->5484 5483->5431 5484->5483 5486 309448e _snprintf OpenFileMappingA 5485->5486 5487 3094536 5485->5487 5488 3094530 5486->5488 5489 30944e2 MapViewOfFile 5486->5489 5487->5450 5488->5450 5489->5487 5490 3094516 CloseHandle 5489->5490 5490->5488 5492 309488b 5491->5492 5493 3094890 5491->5493 5492->5446 5494 30948a4 5493->5494 5495 3094897 CloseHandle 5493->5495 5496 30948b7 UnmapViewOfFile 5494->5496 5497 30948cc 5494->5497 5495->5494 5496->5494 5498 30948da CloseHandle 5497->5498 5499 30948ef 5497->5499 5498->5497 5499->5446 5506 309457a 5500->5506 5501 30946fd 5501->5449 5502 3094470 4 API calls 5502->5506 5503 30945b9 _snprintf 5504 30945ed CreateFileMappingA 5503->5504 5503->5506 5504->5501 5505 3094621 MapViewOfFile 5504->5505 5505->5506 5507 3094706 CloseHandle 5505->5507 5506->5501 5506->5502 5506->5503 5506->5504 5507->5449 5508->5469 5509->5474 5511 30947d1 5510->5511 5512 3094875 5510->5512 5511->5512 5513 30947ed InterlockedIncrement 5511->5513 5512->5361 5516 3094807 5513->5516 5514 3094560 8 API calls 5514->5516 5515 3094470 _snprintf OpenFileMappingA MapViewOfFile CloseHandle 5515->5516 5516->5514 5516->5515 5517 309485c 5516->5517 5517->5361

                                                  Executed Functions

                                                  Function 03094D00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 105COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 65b46629$NtGetNextProcess$SeDebugPrivilege$ntdll.dll
                                                  • API String ID: 0-4278936151
                                                  • Opcode ID: 00d2c3e177c932ace0e0c0ccde5e7ff42657fb65504daec0d42c3afd0a88c880
                                                  • Instruction ID: 5feab7e7429e0b59bbe74b1f2304432222d21dfeaae617bb9dec4c89c19a3d9b
                                                  • Opcode Fuzzy Hash: 00d2c3e177c932ace0e0c0ccde5e7ff42657fb65504daec0d42c3afd0a88c880
                                                  • Instruction Fuzzy Hash: 9E31097C6533147EEB14FBB6AC05BEE33989BC4F00F004086F9589E145EAB955009FA6
                                                  Function 03094C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,03094E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 03094C32
                                                  • GetLastError.KERNEL32 ref: 03094C3C
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 03094C52
                                                  • GetLastError.KERNEL32 ref: 03094C5C
                                                  • CloseHandle.KERNEL32(?), ref: 03094C66
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                  • String ID:
                                                  • API String ID: 1673749002-0
                                                  • Opcode ID: 345710715750e2dade6e32f887fb3eac36d6771f1d8e2ac1a9e12ee4528c909b
                                                  • Instruction ID: e359e6d4cc40618ff164d48e1018d29015dbb850be7e76827424353effffc9aa
                                                  • Opcode Fuzzy Hash: 345710715750e2dade6e32f887fb3eac36d6771f1d8e2ac1a9e12ee4528c909b
                                                  • Instruction Fuzzy Hash: 58118A79A01608AFDB14EFE4EC0DFAE77BCEB48751F004549FE05D6240D67599049B51
                                                  Function 03095C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49nativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 03095A20: LdrEnumerateLoadedModules.NTDLL(00000000,Function_00005040,?), ref: 03095B0D
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000800,00000000), ref: 03095C80
                                                    • Part of subcall function 030949F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,030973CC,030C7C98,00000000,00000000,00000010,00000000), ref: 03094A10
                                                    • Part of subcall function 030949F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 03094A77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: EnumerateInformationLoadedModulesMutexObjectProcessQueryReleaseSingleWait
                                                  • String ID: STFU
                                                  • API String ID: 2599885325-778810564
                                                  • Opcode ID: 5bfac1b13c116e0d792ce2c412d0125f641c02db7aebf3261a1f39361ebf6ecf
                                                  • Instruction ID: 05a93d90d102f5bd3987631d286731562464a31dbf44d142681e94bbcdab5458
                                                  • Opcode Fuzzy Hash: 5bfac1b13c116e0d792ce2c412d0125f641c02db7aebf3261a1f39361ebf6ecf
                                                  • Instruction Fuzzy Hash: E4018DB5A423086EFF50EBA59C41BEA73ECEB44700F0041A6AA44DB180EE71995497E5
                                                  Function 03094AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • strncpy.MSVCRT ref: 03094B1A
                                                  • sprintf.MSVCRT ref: 03094B2C
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 03094B3F
                                                  • _snprintf.MSVCRT ref: 03094B6F
                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 03094B85
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03094B97
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03094BE3
                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 03094C02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Mutex$ChangeCloseCreateFileFindMappingNotificationObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                  • String ID: %s_0$-%sMutex
                                                  • API String ID: 1674471773-892854768
                                                  • Opcode ID: 635d0cddec74bdf53f74ee5b9a553636d5960bf8d4b61ba89df49518f2da0253
                                                  • Instruction ID: a8aca2ebf8855d935549f1bce50c21f5417fcd789df16fa387bc45a7179809c1
                                                  • Opcode Fuzzy Hash: 635d0cddec74bdf53f74ee5b9a553636d5960bf8d4b61ba89df49518f2da0253
                                                  • Instruction Fuzzy Hash: D0314CB56027046BFB20EEA6EC41FDBB3EC9F84714F08455BF958DB180EAB0D5459690
                                                  Function 03095A20 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 189threadlibraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 26 3095a20-3095a31 call 30935e0 29 3095c49-3095c4c 26->29 30 3095a37-3095a3e call 3093a20 26->30 30->29 33 3095a44-3095a5b 30->33 34 3095a61-3095a68 33->34 35 3095ae5-3095b4a call 3094d00 LdrEnumerateLoadedModules call 3093080 * 2 33->35 34->35 36 3095a6a-3095a76 34->36 47 3095b4f-3095b63 35->47 36->35 38 3095a78-3095a87 call 3093920 36->38 45 3095a8d-3095a97 38->45 46 3095c46-3095c48 38->46 48 3095a99 45->48 49 3095a9c-3095aa0 45->49 46->29 52 3095b70-3095b85 47->52 53 3095b65-3095b6c 47->53 48->49 50 3095ad8-3095ae3 49->50 51 3095aa2-3095aa5 49->51 50->35 50->38 54 3095aaa-3095aac 51->54 55 3095bcc-3095be5 52->55 56 3095b87-3095b8b 52->56 53->52 57 3095aae-3095ab1 54->57 58 3095ab3 54->58 61 3095bf4-3095c0a CreateThread CloseHandle 55->61 62 3095be7-3095bf2 55->62 59 3095b8d-3095ba7 call 30939a0 56->59 60 3095bc3-3095bca 56->60 64 3095ab7-3095ab9 call 3093750 57->64 58->64 59->60 72 3095ba9-3095bbf 59->72 60->55 60->56 63 3095c0c-3095c1f 61->63 62->61 62->63 66 3095c2e-3095c44 CreateThread CloseHandle 63->66 67 3095c21-3095c2c 63->67 71 3095abe-3095ac2 64->71 66->46 67->46 67->66 71->46 74 3095ac8-3095ad3 71->74 72->60 75 3095ad5 74->75 76 3095aa7 74->76 75->50 76->54
                                                  APIs
                                                  • LdrEnumerateLoadedModules.NTDLL(00000000,Function_00005040,?), ref: 03095B0D
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005070,00000000,00000000,00000000), ref: 03095C03
                                                  • CloseHandle.KERNEL32(00000000), ref: 03095C0A
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000050F0,00000000,00000000,00000000), ref: 03095C3D
                                                  • CloseHandle.KERNEL32(00000000), ref: 03095C44
                                                    • Part of subcall function 03093920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 03093962
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleStringThread$AnsiEnumerateLoadedModulesUnicode
                                                  • String ID: 65b46629$LdrLoadDll$NtResumeThread$ntdll.dll
                                                  • API String ID: 1691487058-2598396335
                                                  • Opcode ID: 18c03b9058a010e34e8da243f870014cb9ff6c380741e665598adc361e83ef89
                                                  • Instruction ID: 9ed118adc6447fb5baed4ed53077b584e3929d2c091f123657d027be4685ce44
                                                  • Opcode Fuzzy Hash: 18c03b9058a010e34e8da243f870014cb9ff6c380741e665598adc361e83ef89
                                                  • Instruction Fuzzy Hash: 2061FE79703702AFEF24DF6ADC81F6AB3E4AF84604F09452AE8019B281D770F401DB94
                                                  Function 03070E8C Relevance: 10.8, APIs: 7, Instructions: 336libraryfilesleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 130 3070e8c-3070ec6 CreateMutexA 132 3070ed2-3070fee LoadLibraryA * 2 Sleep CreateFileA 130->132 133 3070ec8-3070ecd 130->133 139 3070ff4-3071004 132->139 140 3071099-30710ab FindCloseChangeNotification 132->140 133->132 146 3071006-3071044 139->146 147 307104c-3071097 WriteFile 139->147 141 30710b1-30710c3 140->141 142 3071280 140->142 148 30710c5-30710d2 141->148 149 30710d4-30710f3 141->149 143 3071282-3071285 142->143 159 3071046 146->159 160 307104a 146->160 147->140 148->141 154 3071276-307127b 149->154 155 30710f9-3071100 149->155 154->142 158 307110b-3071112 155->158 161 3071114-3071121 158->161 162 3071123-30711cf 158->162 159->160 160->140 161->158 170 30711d1-30711d4 162->170 171 30711d9-3071201 162->171 170->143 173 3071203-3071214 171->173 174 307123f-307124c 171->174 179 3071216-307122e 173->179 180 3071233-307123a 173->180 175 3071271 174->175 176 307124e-307125b 174->176 175->154 176->175 178 307125d-307126c 176->178 178->175 179->180 180->174
                                                  APIs
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 03070EB7
                                                  • LoadLibraryA.KERNELBASE(?,?), ref: 03070F14
                                                  • LoadLibraryA.KERNELBASE(?,?), ref: 03070F3C
                                                  • Sleep.KERNELBASE(0000C350), ref: 03070FC7
                                                  • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000004,00000000,00000000), ref: 03070FE5
                                                  • WriteFile.KERNELBASE(000000FF,?,00000000), ref: 03071097
                                                  • FindCloseChangeNotification.KERNELBASE(000000FF), ref: 030710A3
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2507923478.0000000003070000.00000040.00000400.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3070000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateFileLibraryLoad$ChangeCloseFindMutexNotificationSleepWrite
                                                  • String ID:
                                                  • API String ID: 2321068157-0
                                                  • Opcode ID: 6874dfed46059ecbed0a14142465933fea1e3138d9ef7359cd667ab9320ad1f6
                                                  • Instruction ID: ce76680658a04f8c3cc8827d9f5ac911d405259c16eb307a8c26677dfb8edf36
                                                  • Opcode Fuzzy Hash: 6874dfed46059ecbed0a14142465933fea1e3138d9ef7359cd667ab9320ad1f6
                                                  • Instruction Fuzzy Hash: AAD12E71A00108AFDB08CF58CC95FAE7BB6EF88754F14C158F909AB395D674EA81CB94
                                                  Function 03092F90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 181 3092f90-3092f9c 182 3092fa2-3092fa7 181->182 183 3093074-309307b 181->183 182->183 184 3092fad-3092fb2 182->184 184->183 185 3092fb8-3092fbc 184->185 185->183 186 3092fc2-3092fda ReadProcessMemory 185->186 187 309306b-3093073 186->187 188 3092fe0-3092ff6 call 3092e40 186->188 188->187 191 3092ff8-3093020 call 3092e20 WriteProcessMemory 188->191 191->187 194 3093022-3093026 191->194 194->187 195 3093028-309303a WriteProcessMemory 194->195 195->187 196 309303c-3093042 195->196 196->187 197 3093044-3093057 WriteProcessMemory 196->197 197->187 198 3093059-309305d 197->198 198->187 199 309305f-309306a 198->199
                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,00000000,00000010,?), ref: 03092FD2
                                                  • WriteProcessMemory.KERNELBASE(?,00000000,?,00000020,?), ref: 0309301C
                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000000,00000020), ref: 03093036
                                                  • WriteProcessMemory.KERNELBASE(?,00000000,00000000,00000004,00000020), ref: 03093053
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcess$Write$Read
                                                  • String ID:
                                                  • API String ID: 2454571318-3916222277
                                                  • Opcode ID: 30b37c40efd526b33f489b61a66b823a54bb2fe495ab8fa569983dcf70a818c3
                                                  • Instruction ID: 90c74df4292906c81b37db85c004cb9e515408f7fafa59a6ef758903b236b5ae
                                                  • Opcode Fuzzy Hash: 30b37c40efd526b33f489b61a66b823a54bb2fe495ab8fa569983dcf70a818c3
                                                  • Instruction Fuzzy Hash: 5231B0B660190DAFEF10DE89DC81EFFB3BCEB80644F1442A6E90597144E731AA45DBA0
                                                  Function 03094470 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 200 3094470-3094488 201 309448e-30944e0 _snprintf OpenFileMappingA 200->201 202 3094544-309455b 200->202 203 3094530-3094535 201->203 204 30944e2-3094514 MapViewOfFile 201->204 205 3094536-309453d 204->205 206 3094516-3094528 CloseHandle 204->206 205->202 206->203
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 030944A7
                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 030944BD
                                                  • MapViewOfFile.KERNELBASE(?,000F001F,00000000,00000000,00000000), ref: 030944F0
                                                  • CloseHandle.KERNEL32(?), ref: 0309451B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: File$CloseHandleMappingOpenView_snprintf
                                                  • String ID: %s_%d
                                                  • API String ID: 460513966-1933919280
                                                  • Opcode ID: 582c39cb809b0b96263f46bd37431fee6b9810ac6145484d586df8cf471ef440
                                                  • Instruction ID: ce6c93b71dfc5a866f008c8336bdee953917158461f9342283c93444a36a21e8
                                                  • Opcode Fuzzy Hash: 582c39cb809b0b96263f46bd37431fee6b9810ac6145484d586df8cf471ef440
                                                  • Instruction Fuzzy Hash: C721A4B2251B068FE331DF58D989B72B3E8EB84304F44857DA74687285DB79B461EB40
                                                  Function 03093F90 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 207 3093f90-3093f9d 208 3093fab-3093fb6 call 30935e0 207->208 209 3093f9f-3093fa6 call 3093890 207->209 214 3094018-309401b 208->214 215 3093fb8-3094001 call 30935e0 call 3093890 call 3093750 208->215 209->208 215->214 222 3094003-3094012 GetNativeSystemInfo 215->222 222->214
                                                  APIs
                                                  • GetNativeSystemInfo.KERNELBASE(?,00000000,kernel32.dll,GetNativeSystemInfo,?,?,?,?,?,?,?,03094D5C), ref: 03094007
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: InfoNativeSystem
                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                  • API String ID: 1721193555-192647395
                                                  • Opcode ID: 1cb189f27a4d4a906381d0498a635fc142e4612970ca2c6d5f501813c8144afd
                                                  • Instruction ID: e22382b0b19e50a19f5a971258c8bd8e1e5287f4744169d054d4186a13526476
                                                  • Opcode Fuzzy Hash: 1cb189f27a4d4a906381d0498a635fc142e4612970ca2c6d5f501813c8144afd
                                                  • Instruction Fuzzy Hash: DB010CB4C1A3099FDF18EFAAA90129EBBF4AB88700F0444AFE008A6744E7355740DF59
                                                  Function 03093750 Relevance: 3.0, APIs: 2, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 238 3093750-309375e 239 3093760-3093781 LdrGetProcedureAddress 238->239 240 3093784-309378a 238->240 241 3093790-3093795 240->241 241->241 242 3093797-30937c5 LdrGetProcedureAddress 241->242
                                                  APIs
                                                  • LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0309376B
                                                  • LdrGetProcedureAddress.NTDLL(?,?,00000000,?), ref: 030937AF
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: AddressProcedure
                                                  • String ID:
                                                  • API String ID: 3653107232-0
                                                  • Opcode ID: 833459ddbf2d124942908eff6e1d7d9c249daf0e6e4705387f4726b5c7167262
                                                  • Instruction ID: b06e59dbc8a1c79da9eb3c50ad74b63f62ffa65ed81184392569384dda715cba
                                                  • Opcode Fuzzy Hash: 833459ddbf2d124942908eff6e1d7d9c249daf0e6e4705387f4726b5c7167262
                                                  • Instruction Fuzzy Hash: 7F019279601609AFDB04CF68D895FEA77A9EF48350F04C199FC05CF104EA30D6448BA1
                                                  Function 03093920 Relevance: 3.0, APIs: 2, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 03093962
                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 03093980
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: String$AnsiLoadUnicode
                                                  • String ID:
                                                  • API String ID: 4066666101-0
                                                  • Opcode ID: 3081a8ae9fd7e151218000f304bf36f79bcdbecfcb61dd8b35d4b6de169ab87c
                                                  • Instruction ID: efd4ca762b16be4a0487b902f641ed6cddd22cba087b616acbcfa4eb0b9ab852
                                                  • Opcode Fuzzy Hash: 3081a8ae9fd7e151218000f304bf36f79bcdbecfcb61dd8b35d4b6de169ab87c
                                                  • Instruction Fuzzy Hash: 3D0184B6A0160CABDB04DFE4DC45BDEB778AF54300F00C1AAE905DB250F6309604CB91

                                                  Non-executed Functions

                                                  Function 0309B480 Relevance: 68.6, APIs: 28, Strings: 11, Instructions: 363memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309B4A2
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097401
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097419
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 03097431
                                                    • Part of subcall function 030973E0: _snprintf.MSVCRT ref: 03097449
                                                    • Part of subcall function 030973E0: _vsnprintf.MSVCRT ref: 0309746B
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 0309747A
                                                  • lstrcpyA.KERNEL32(?,030A1335), ref: 0309B51A
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B536
                                                  • GetVersionExA.KERNEL32(?), ref: 0309B550
                                                  • lstrcpyA.KERNEL32(?,ERR), ref: 0309B5F5
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B60D
                                                  • strstr.MSVCRT ref: 0309B641
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309B650
                                                  • lstrlenA.KERNEL32(-00000004), ref: 0309B65F
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0309B67D
                                                  • lstrcmpA.KERNEL32(-00000004,030A2BE4), ref: 0309B6A8
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400), ref: 0309B6C5
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0309B719
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B74A
                                                    • Part of subcall function 03091BA0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 03091BC5
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B75B
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B76E
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000104), ref: 0309B781
                                                  • _snprintf.MSVCRT ref: 0309B796
                                                  • _snprintf.MSVCRT ref: 0309B7AB
                                                  • lstrcpyA.KERNEL32(?,030A2C0C), ref: 0309B7CD
                                                  • _snprintf.MSVCRT ref: 0309B7FC
                                                  • _snprintf.MSVCRT ref: 0309B863
                                                  • _snprintf.MSVCRT ref: 0309B878
                                                  • lstrcpyA.KERNEL32(?,030A2C0C), ref: 0309B89A
                                                  • _snprintf.MSVCRT ref: 0309B8C9
                                                  • _snprintf.MSVCRT ref: 0309B8E0
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0309B8F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                  • String ID: 2K3$2K8$<br>$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$ERR$VIS$_%s_%s%s_%s$admin$http://api.wipmania.com/$isadmin$n%s_%s_%s%s_%s
                                                  • API String ID: 124843797-2084827365
                                                  • Opcode ID: 10fecfbfb5bdbd1bacc99e668e53871ae0e0c9242f9c04f80e2f0af826a52bd2
                                                  • Instruction ID: 79e3abf358080eaac946b1efdc88e130f9ad79ce2cbb6da208a06ff697aa256e
                                                  • Opcode Fuzzy Hash: 10fecfbfb5bdbd1bacc99e668e53871ae0e0c9242f9c04f80e2f0af826a52bd2
                                                  • Instruction Fuzzy Hash: EDC1D6B4642704AFEB24DF94EC81FABB3FCAB44714F048D5DE652AA180D6B4E944DB20
                                                  Function 03091EA0 Relevance: 37.7, APIs: 25, Instructions: 195fileencryptionCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 03091ECD
                                                  • GetLastError.KERNEL32 ref: 03091EDA
                                                  • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 03091EF5
                                                  • GetLastError.KERNEL32 ref: 03091EFF
                                                  • CloseHandle.KERNEL32(00000000), ref: 03091F06
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                  • String ID:
                                                  • API String ID: 2213256293-0
                                                  • Opcode ID: 4a5a08a2574dfb18d42e5aa50c415a4172ae789ae0781166f4680a93b67a7590
                                                  • Instruction ID: ea6d7f36b73630bdeeccef4d15ed6df22cbbdab707609d7ade8c5301a9cac966
                                                  • Opcode Fuzzy Hash: 4a5a08a2574dfb18d42e5aa50c415a4172ae789ae0781166f4680a93b67a7590
                                                  • Instruction Fuzzy Hash: 5651A176602908BFDB04EBE9FC88EBFB7BCFB88255F14459AFA05D2144D73589019B60
                                                  Function 030953D0 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 258nativeinjectionmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 030953E7
                                                  • OpenProcess.KERNEL32(0000047A,00000000,?), ref: 0309540E
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,?,00000400,00000000), ref: 0309542F
                                                  • CloseHandle.KERNEL32(00000000), ref: 030956C0
                                                    • Part of subcall function 03094900: WaitForSingleObject.KERNEL32(03097495,000000FF,?,00000000,771B0440,?,03097495), ref: 03094939
                                                    • Part of subcall function 03094900: ReleaseMutex.KERNEL32(?,?,03097495), ref: 0309497C
                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 030954AB
                                                  • VirtualAllocEx.KERNEL32(00000000,00000000,03090000,00003000,00000040), ref: 0309552F
                                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,03090000,?), ref: 0309554E
                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 03095573
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 030955A0
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 030955C4
                                                  • ReadProcessMemory.KERNEL32(00000000,?,?,00000004,?), ref: 030955EC
                                                  • ReadProcessMemory.KERNEL32(00000000,?,030C89B0,00000005,?), ref: 03095618
                                                    • Part of subcall function 03094160: VirtualAllocEx.KERNEL32(?,00000000,00000000,00003000,00000040,00000000,?,?,?), ref: 03094192
                                                    • Part of subcall function 03094160: WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?), ref: 0309424F
                                                  • WriteProcessMemory.KERNEL32(00000000,?,?,00000005,?), ref: 030956B7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Process$Memory$Read$InformationQueryWrite$AllocVirtual$CloseCompareExchangeHandleInterlockedMutexObjectOpenReleaseSingleThreadWait
                                                  • String ID: 65b46629$STFU
                                                  • API String ID: 992379172-1957485439
                                                  • Opcode ID: 049773cd84405c64439a8fbdd5dcab3014624459ce9c20b5d595818afd43d061
                                                  • Instruction ID: dd6e75b1d9c018521db0b2f591b1c13b76106082060c7124f544561e502e3b47
                                                  • Opcode Fuzzy Hash: 049773cd84405c64439a8fbdd5dcab3014624459ce9c20b5d595818afd43d061
                                                  • Instruction Fuzzy Hash: 4C9183B5A02209AFEF11DF95DC81FEEB7B8EB85700F14415AE605EB240E774AA41DF60
                                                  Function 0309F130 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 122filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309F150
                                                  • memset.MSVCRT ref: 0309F168
                                                  • lstrcpyA.KERNEL32(?,?), ref: 0309F17B
                                                    • Part of subcall function 0309EDF0: memset.MSVCRT ref: 0309EE0E
                                                    • Part of subcall function 0309EDF0: vsprintf.MSVCRT ref: 0309EE22
                                                    • Part of subcall function 0309EDF0: PathAppendA.SHLWAPI(?,00000000), ref: 0309EE35
                                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 0309F196
                                                  • FindFirstFileA.KERNEL32(?,?), ref: 0309F1AA
                                                  • CoInitialize.OLE32(00000000), ref: 0309F1C2
                                                  • _snprintf.MSVCRT ref: 0309F1E1
                                                  • FindNextFileA.KERNEL32(?,?), ref: 0309F20C
                                                  • strncmp.MSVCRT(?,030A2FC0,00000008), ref: 0309F22E
                                                  • strstr.MSVCRT ref: 0309F246
                                                  • _snprintf.MSVCRT ref: 0309F26B
                                                  • FindNextFileA.KERNEL32(?,?), ref: 0309F290
                                                  • FindClose.KERNEL32(?), ref: 0309F29E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Find$Filememset$Next_snprintf$AppendCloseCurrentDirectoryFirstInitializePathlstrcpystrncmpstrstrvsprintf
                                                  • String ID: %s%s
                                                  • API String ID: 3870971729-3252725368
                                                  • Opcode ID: bc5e3bd7f91ad5e842dc79aa8327dfd1fafe597bd26211fc1ac7667356053f22
                                                  • Instruction ID: 9647d56c2c2a2018071cb07c867e8ee123baa337161bddd128ed3193fa1da42e
                                                  • Opcode Fuzzy Hash: bc5e3bd7f91ad5e842dc79aa8327dfd1fafe597bd26211fc1ac7667356053f22
                                                  • Instruction Fuzzy Hash: E841077A94261CABDF14DBA4EC84FEF737CEF84341F044599B9089A044E670AF84DB60
                                                  Function 03099D90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAlloc.KERNEL32(00000000,00008000,00001000,00000004), ref: 03099DA7
                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,20000080,00000000), ref: 03099DD5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: AllocCreateFileVirtual
                                                  • String ID: \\.\PHYSICALDRIVE0
                                                  • API String ID: 1475775534-1557481562
                                                  • Opcode ID: 7d6b9123644e17ab17caf658dce94560060264ffb3920a70065df00aaace5279
                                                  • Instruction ID: 523c2dec56d85f3b985dd28cc1021d4a7e9950eb7d3d7e6698fd4385624bed08
                                                  • Opcode Fuzzy Hash: 7d6b9123644e17ab17caf658dce94560060264ffb3920a70065df00aaace5279
                                                  • Instruction Fuzzy Hash: 4C31E8727817047AF62095ADBC46FEB775CD784B32F200266FB18EA1C0DAE0690096F4
                                                  Function 03095820 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 171nativesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03095844
                                                  • NtGetNextProcess.NTDLL(00000000,0000047A,00000000,00000000,00000000), ref: 030958A6
                                                  • CloseHandle.KERNEL32(00000000), ref: 030958B9
                                                  • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 030958CF
                                                  • NtQueryInformationProcess.NTDLL(00000000,0000001B,00000000,00000800,00000000), ref: 030958FC
                                                  • InterlockedCompareExchange.KERNEL32(00000000,00000000), ref: 03095970
                                                  • CloseHandle.KERNEL32(00000000), ref: 03095A05
                                                    • Part of subcall function 030949F0: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,030973CC,030C7C98,00000000,00000000,00000010,00000000), ref: 03094A10
                                                    • Part of subcall function 030949F0: ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 03094A77
                                                  • Sleep.KERNEL32(00000001), ref: 030959F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Process$CloseHandleInformationQuery$CompareExchangeInterlockedMutexNextObjectReleaseSingleSleepWaitmemset
                                                  • String ID: STFU
                                                  • API String ID: 3848293298-778810564
                                                  • Opcode ID: a3677e83391a2fad8bcd7167f598d2310b834140ac3d4a95c68f6c7b484d9345
                                                  • Instruction ID: d5b54603f5386f47ea83604a999807ce885438e6a28d953a99a8f1b012b561ba
                                                  • Opcode Fuzzy Hash: a3677e83391a2fad8bcd7167f598d2310b834140ac3d4a95c68f6c7b484d9345
                                                  • Instruction Fuzzy Hash: 72510770E01319ABEB14DFA9DC41BAEB7F8EF85B10F148169F545EB280DB749940CB90
                                                  Function 03099EC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03099EDF
                                                  • CreateFileA.KERNEL32(\\.\PHYSICALDRIVE0,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 03099F16
                                                  • DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,?,00000000), ref: 03099F45
                                                  • WriteFile.KERNEL32(00000000,00000000,00000200,?,00000000), ref: 03099F5A
                                                  • DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,?,00000000), ref: 03099F74
                                                  • CloseHandle.KERNEL32(00000000), ref: 03099F77
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ControlDeviceFile$CloseCreateHandleWritememset
                                                  • String ID: 00100$U$\\.\PHYSICALDRIVE0
                                                  • API String ID: 3939175881-3482488017
                                                  • Opcode ID: 65a9d73f2939f1b05235680edd323695240d40f9886b20611edf7dccf782a914
                                                  • Instruction ID: 772d09b476a0d7e56a709d8ad4bdbe57c66c6a9bca02f585ca618181393b1e10
                                                  • Opcode Fuzzy Hash: 65a9d73f2939f1b05235680edd323695240d40f9886b20611edf7dccf782a914
                                                  • Instruction Fuzzy Hash: 1811C835BC17187AF730E698AC0BFDE776C8B55B11F100285F714BE1C196E0260087A5
                                                  Function 03093440 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 136memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • printf.MSVCRT ref: 030934A0
                                                  • printf.MSVCRT ref: 030934AD
                                                  • printf.MSVCRT ref: 030934CC
                                                  • NtAllocateVirtualMemory.NTDLL(00000000,?,00000000,030C7A80,00003000,00000040), ref: 030934F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: printf$AllocateMemoryVirtual
                                                  • String ID: Done frst$block_size: %d$ngr->blocksize: %d
                                                  • API String ID: 3635587295-1816125109
                                                  • Opcode ID: 7c8ed5e6f97e39eb861ae9c23ed9310f149516515a6ae03f9bc5415e25a88bc1
                                                  • Instruction ID: 916f1e6075caa3f503d9699a34499003f45527cf877d47b1d7e73a62740f94eb
                                                  • Opcode Fuzzy Hash: 7c8ed5e6f97e39eb861ae9c23ed9310f149516515a6ae03f9bc5415e25a88bc1
                                                  • Instruction Fuzzy Hash: 9141EA79A01704AFEF14DF68D845EDAB7E9EF88214F18C59EE9098B241E731E901DF90
                                                  Function 0309A550 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03093920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 03093962
                                                    • Part of subcall function 03093750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0309376B
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,NtShutdownSystem), ref: 0309A57A
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0309A58F
                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0309A5B3
                                                  • GetLastError.KERNEL32 ref: 0309A5B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: StringToken$AddressAdjustAnsiErrorLastLookupOpenPrivilegePrivilegesProcedureProcessUnicodeValue
                                                  • String ID: NtShutdownSystem$SeShutdownPrivilege$ntdll.dll
                                                  • API String ID: 4135695518-1699316426
                                                  • Opcode ID: 60d046066183d4b87951fd119870374f57211c8d69a6319c102456d7e8ae3955
                                                  • Instruction ID: 4be556f2891418102800351f1da80214c85b6dc424e01930e017f928ef14e9c0
                                                  • Opcode Fuzzy Hash: 60d046066183d4b87951fd119870374f57211c8d69a6319c102456d7e8ae3955
                                                  • Instruction Fuzzy Hash: 23F08179B427047BEB14FBE5AC0AFEF77BC9B44B00F100055B614EA1C1DAF465049BA1
                                                  Function 030942E0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3a670977c343868f2aefbb50dbe56cf8cc91d7e0fd2975264f370eca5b95c87
                                                  • Instruction ID: 1373c2f4068ea56a7b3c4f2f494e1109bf4ee52943553f5319c9b2a2fc17c378
                                                  • Opcode Fuzzy Hash: a3a670977c343868f2aefbb50dbe56cf8cc91d7e0fd2975264f370eca5b95c87
                                                  • Instruction Fuzzy Hash: 0331C4757027046BEB20EE7AEC41F6BB3ECEB88611F54855AFD09D7280DA71E80196A4
                                                  Function 0309D7A0 Relevance: 145.7, APIs: 54, Strings: 29, Instructions: 473memorystringfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 658 309d7a0-309d802 HeapAlloc * 2 memset 659 309d82b-309d82d 658->659 660 309d804-309d806 658->660 663 309d82f-309d837 GetLastError 659->663 664 309d84e-309d850 659->664 661 309d808-309d80b HeapFree 660->661 662 309d811-309d813 660->662 661->662 665 309d81f-309d828 662->665 666 309d815-309d819 HeapFree 662->666 667 309d839-309d83c HeapFree 663->667 668 309d842-309d84b 663->668 669 309d86d-309d882 ReadFile 664->669 670 309d852-309d86a GetLastError HeapFree 664->670 666->665 667->668 671 309d888 669->671 672 309dcc1-309dcca GetLastError 669->672 673 309d890-309d895 671->673 674 309dccc GetLastError 672->674 675 309dcd2-309dcf0 FlushFileBuffers DisconnectNamedPipe CloseHandle 672->675 673->672 676 309d89b-309d8a6 673->676 674->675 677 309dcfb-309dd18 HeapFree * 2 675->677 678 309d8a8-309d8b0 676->678 679 309d8cc-309d8df atoi 676->679 680 309d8b2-309d8b7 678->680 681 309dcf5-309dcf8 679->681 682 309d8e5-309d8f4 strchr 679->682 683 309d8b9-309d8c0 680->683 684 309d8c4 680->684 681->677 685 309d8fa-309d936 lstrlenA call 3091440 HeapAlloc * 2 682->685 686 309dcf2 682->686 683->680 687 309d8c2 683->687 684->679 690 309d93c-309d94b strchr 685->690 691 309dc72-309dc77 685->691 686->681 687->679 690->691 694 309d951-309d983 lstrlenA lstrcpynA * 2 lstrcmpA 690->694 692 309dc79-309dc80 HeapFree 691->692 693 309dc86-309dc88 691->693 692->693 695 309dc8a-309dc91 HeapFree 693->695 696 309dc97-309dcbb ReadFile 693->696 697 309d9e8-309d9f2 lstrcmpA 694->697 698 309d985-309d9b9 call 309ba00 lstrlenA HeapAlloc 694->698 695->696 696->672 696->673 700 309da58-309da62 lstrcmpA 697->700 701 309d9f4-309da29 call 309ba00 lstrlenA HeapAlloc 697->701 707 309d9bb-309d9da lstrcpyA lstrcatA call 30931a0 698->707 708 309d9dd-309d9e3 698->708 704 309da83-309da8d lstrcmpA 700->704 705 309da64-309da7e call 309ba00 700->705 717 309da2b-309da4a lstrcpyA lstrcatA call 30931a0 701->717 718 309da4d-309da53 701->718 709 309da8f-309daa9 call 309ba00 704->709 710 309daae-309dab8 lstrcmpA 704->710 705->691 707->708 708->691 709->691 715 309daba-309daec call 309ba00 lstrlenA HeapAlloc 710->715 716 309db0f-309db19 lstrcmpA 710->716 735 309daee-309db01 lstrcpyA call 30931a0 715->735 736 309db04-309db0a 715->736 723 309db1b-309db25 lstrcmpA 716->723 724 309db50-309db5a lstrcmpA 716->724 717->718 718->691 725 309db31-309db4b call 309ba00 723->725 726 309db27-309db2c 723->726 727 309db7a-309db84 lstrcmpA 724->727 728 309db5c-309db75 call 309ba00 724->728 725->691 726->691 733 309dba5-309dbaf lstrcmpA 727->733 734 309db86-309dba0 call 309ba00 727->734 728->691 741 309dbb1-309dbcb call 309ba00 733->741 742 309dbd0-309dbda lstrcmpA 733->742 734->691 735->736 736->691 741->691 743 309dbdc-309dbf5 call 309ba00 742->743 744 309dbf7-309dc01 lstrcmpA 742->744 743->691 749 309dc03-309dc23 call 309ba00 744->749 750 309dc25-309dc2f lstrcmpA 744->750 749->691 754 309dc31-309dc44 call 3097330 750->754 755 309dc46-309dc50 lstrcmpA 750->755 754->691 755->691 758 309dc52-309dc6c call 309ba00 755->758 758->691
                                                  APIs
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000800), ref: 0309D7C3
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000800), ref: 0309D7D2
                                                  • memset.MSVCRT ref: 0309D7EE
                                                  • HeapFree.KERNEL32(03490000,?,00000000), ref: 0309D80B
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309D819
                                                  • GetLastError.KERNEL32 ref: 0309D82F
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309D83C
                                                  • GetLastError.KERNEL32 ref: 0309D852
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309D85B
                                                  • ReadFile.KERNEL32(?,00000000,00000800,00000000,00000000), ref: 0309D87A
                                                  • atoi.MSVCRT ref: 0309D8D3
                                                  • strchr.MSVCRT ref: 0309D8E8
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0309D900
                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0309D924
                                                  • HeapAlloc.KERNEL32(?,00000008,00000001), ref: 0309D930
                                                  • strchr.MSVCRT ref: 0309D93F
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309D952
                                                  • lstrcpynA.KERNEL32(00000000,00000001,00000000), ref: 0309D95E
                                                  • lstrcpynA.KERNEL32(?,00000000,00000001), ref: 0309D96D
                                                  • lstrcmpA.KERNEL32(?,ftplog), ref: 0309D97F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFree$ErrorLastlstrcpynlstrlenstrchr$FileReadatoilstrcmpmemset
                                                  • String ID: 30e4*ga1$FTP -> $POP3 -> $[DNS]: Blocked DNS "%s"$[FTP Infect]: %s was iframed$[FTP Login]: %s$[HTTP Login]: %s$[HTTP Traffic]: %s$[HTTP]: %s$[MSN]: %s$[PDef+]: %s$[POP3 Login]: %s$[Ruskill]: Detected DNS: "%s"$[Ruskill]: Detected File: "%s"$[Ruskill]: Detected Reg: "%s"$blk$block$disable$dns$ftpinfect$ftplog$httplogin$httpspread$httptraff$msn$poplog$rdns$rreg$ruskill
                                                  • API String ID: 1531277263-2048044856
                                                  • Opcode ID: d2954c7bc8664eadb1b538349daaec275547a43fa4d1402e8d4fbc7fde2beb13
                                                  • Instruction ID: 33d209609491e4567d955f4821a271a443e415458dd25af3ae740a48056b75da
                                                  • Opcode Fuzzy Hash: d2954c7bc8664eadb1b538349daaec275547a43fa4d1402e8d4fbc7fde2beb13
                                                  • Instruction Fuzzy Hash: E1E15775683F05BFEB10F7ACBC45FBF76BCEF86A41F044005F911AA142DAA49801AB61
                                                  Function 030A0430 Relevance: 112.3, APIs: 51, Strings: 13, Instructions: 334stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,00000000,00000000,771B0440), ref: 030A0446
                                                  • GetProcessHeap.KERNEL32(00000008,00000001), ref: 030A044C
                                                  • HeapAlloc.KERNEL32(00000000), ref: 030A0453
                                                  • memset.MSVCRT ref: 030A048B
                                                  • GetProcessHeap.KERNEL32 ref: 030A0493
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 030A04A9
                                                  • sscanf.MSVCRT ref: 030A04C5
                                                  • strstr.MSVCRT ref: 030A04DC
                                                  • lstrlenA.KERNEL32(03092780), ref: 030A04F0
                                                  • lstrlenA.KERNEL32(?), ref: 030A04FA
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 030A0505
                                                  • strtok.MSVCRT ref: 030A051B
                                                  • lstrcpyA.KERNEL32(00000000,030A1335), ref: 030A0534
                                                  • _memicmp.MSVCRT ref: 030A0557
                                                  • lstrlenA.KERNEL32(03092780), ref: 030A0567
                                                  • _snprintf.MSVCRT ref: 030A057B
                                                  • _memicmp.MSVCRT ref: 030A0596
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 030A05A7
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 030A05F1
                                                  • lstrcatA.KERNEL32(00000000,030A2B84), ref: 030A05F9
                                                  • strtok.MSVCRT ref: 030A0602
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 030A061C
                                                  • lstrcatA.KERNEL32(00000000,), ref: 030A0624
                                                  • lstrcatA.KERNEL32(00000000,03092780), ref: 030A062B
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A062E
                                                  • _snprintf.MSVCRT ref: 030A0646
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A064F
                                                  • lstrlenA.KERNEL32(?), ref: 030A065A
                                                  • HeapAlloc.KERNEL32(?,00000008,00000040), ref: 030A0667
                                                  • _snprintf.MSVCRT ref: 030A0688
                                                  • sscanf.MSVCRT ref: 030A06A0
                                                  • strstr.MSVCRT ref: 030A06B7
                                                  • strstr.MSVCRT ref: 030A06D2
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A06E6
                                                  • lstrlenA.KERNEL32(-00000002), ref: 030A06F3
                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 030A06FF
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A0714
                                                  • lstrlenA.KERNEL32(-00000002), ref: 030A0721
                                                  • lstrcpynA.KERNEL32(?,-00000002,?), ref: 030A072C
                                                  • lstrlenA.KERNEL32(?), ref: 030A0736
                                                  • lstrlenA.KERNEL32(03092780), ref: 030A073E
                                                  • HeapAlloc.KERNEL32(?,00000008,?), ref: 030A074B
                                                  • lstrlenA.KERNEL32(?,?,03092780), ref: 030A0761
                                                  • lstrlenA.KERNEL32(03092780), ref: 030A076A
                                                  • _snprintf.MSVCRT ref: 030A0787
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A079F
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 030A07AC
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A07B6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$lstrcat$Alloc$_snprintf$Freestrstr$Process_memicmplstrcpysscanfstrtok$lstrcpynmemset
                                                  • String ID: $%s%s$Content-Length: $Content-Length: %d$From: $MSG %d %1s$MSG %d %s %d%s%s$Reliability: $SDG $SDG $SDG %d$SDG %d %d$X-MMS-IM-Format:
                                                  • API String ID: 375969099-2909086048
                                                  • Opcode ID: f24b80abdb54b6c3c0c7c6059cd9a1491ec374ffe49109813ec46951e0bd6107
                                                  • Instruction ID: faec509dda68e3b7b98add68c608c4dfbcaf7c9a0a0f8e04859cb36e3a12060c
                                                  • Opcode Fuzzy Hash: f24b80abdb54b6c3c0c7c6059cd9a1491ec374ffe49109813ec46951e0bd6107
                                                  • Instruction Fuzzy Hash: ECA151B5E01B0DBBDB14EBE8AC85EBF77BCEB88640F044555B914A7241EA74DA048B60
                                                  Function 0309F430 Relevance: 91.4, APIs: 47, Strings: 5, Instructions: 431filestringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309F459
                                                  • memset.MSVCRT ref: 0309F472
                                                  • memset.MSVCRT ref: 0309F48B
                                                  • memset.MSVCRT ref: 0309F4A4
                                                  • memset.MSVCRT ref: 0309F4BD
                                                  • memset.MSVCRT ref: 0309F4D6
                                                  • memset.MSVCRT ref: 0309F4F2
                                                  • memset.MSVCRT ref: 0309F50B
                                                  • memset.MSVCRT ref: 0309F526
                                                  • memset.MSVCRT ref: 0309F541
                                                  • memset.MSVCRT ref: 0309F55C
                                                  • sprintf.MSVCRT ref: 0309F571
                                                  • sprintf.MSVCRT ref: 0309F586
                                                  • wsprintfW.USER32 ref: 0309F5A4
                                                  • sprintf.MSVCRT ref: 0309F5BC
                                                  • sprintf.MSVCRT ref: 0309F5D3
                                                  • sprintf.MSVCRT ref: 0309F5EC
                                                  • wsprintfW.USER32 ref: 0309F607
                                                  • wsprintfW.USER32 ref: 0309F61B
                                                    • Part of subcall function 03091CF0: GetFileAttributesW.KERNEL32(?), ref: 03091CF7
                                                  • _stricmp.MSVCRT(00000000,ERR), ref: 0309F64B
                                                  • _stricmp.MSVCRT(030DA920,00000000), ref: 0309F65D
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0309F684
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0309F692
                                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0309F6A0
                                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 0309F6AA
                                                  • GetLastError.KERNEL32 ref: 0309F6B4
                                                  • CopyFileW.KERNEL32(030DB9A0,?,00000000), ref: 0309F6CE
                                                  • lstrlenA.KERNEL32([.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E},00000000), ref: 0309F6DE
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0309F747
                                                  • lstrcpyA.KERNEL32(?,00030A2F), ref: 0309F7DA
                                                  • lstrcatA.KERNEL32(?,?), ref: 0309F7EE
                                                    • Part of subcall function 03091EA0: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,08000000,00000000), ref: 03091ECD
                                                    • Part of subcall function 03091EA0: GetLastError.KERNEL32 ref: 03091EDA
                                                  • lstrcatA.KERNEL32(?,030A2B84), ref: 0309F800
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0309F813
                                                  • lstrlenA.KERNEL32(00030A2F,?,00000000), ref: 0309F828
                                                  • WriteFile.KERNEL32(00000000,00030A2F,00000000), ref: 0309F837
                                                  • lstrlenA.KERNEL32(?,?,00000000), ref: 0309F87C
                                                  • WriteFile.KERNEL32(00000000,?,00000000), ref: 0309F88B
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309F8B1
                                                  • Sleep.KERNEL32(00000032), ref: 0309F8C4
                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0309F901
                                                  • SetFileAttributesA.KERNEL32(?,00000004), ref: 0309F93A
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0309F97D
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0309F984
                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0309F98D
                                                  • CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0309F9BE
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0309F9C5
                                                  • LockFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0309F9CE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: File$memset$Attributes$Createsprintf$lstrlen$wsprintf$ErrorLastLockSizeWrite_stricmplstrcat$CloseCopyDirectoryHandleSleeplstrcpy
                                                  • String ID: %S%S\$%s%s$ERR$[.ShellClassInfo]CLSID={645FF040-5081-101B-9F08-00AA002F954E}$usbi
                                                  • API String ID: 2867265384-2420988572
                                                  • Opcode ID: 52a26a951229b1a88a1d4dbda2415d025b3c17ace87f72c0e8108a2b689643f0
                                                  • Instruction ID: 17aebd58d4b76a993b370003acb27c0530d2dd2aee68886d5e94aea0c2e7f65d
                                                  • Opcode Fuzzy Hash: 52a26a951229b1a88a1d4dbda2415d025b3c17ace87f72c0e8108a2b689643f0
                                                  • Instruction Fuzzy Hash: DEE1E675942719BAEB20E7A4DC85FEFB7BCAB48B01F044499F508E6040D7B46A84DFA1
                                                  Function 0309E9F0 Relevance: 79.0, APIs: 31, Strings: 14, Instructions: 271stringfilethreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309EA0F
                                                  • LoadLibraryW.KERNEL32(ws2_32.dll), ref: 0309EA22
                                                  • LoadLibraryW.KERNEL32(secur32.dll), ref: 0309EA29
                                                  • LoadLibraryW.KERNEL32(wininet.dll), ref: 0309EA30
                                                  • CreateMutexA.KERNEL32(00000000,00000000,030A57AC), ref: 0309EA3B
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0309EA44
                                                    • Part of subcall function 03097330: memset.MSVCRT ref: 03097351
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(?), ref: 03097369
                                                    • Part of subcall function 03097330: _snprintf.MSVCRT ref: 03097381
                                                    • Part of subcall function 03097330: _vsnprintf.MSVCRT ref: 030973A3
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(00000000), ref: 030973B2
                                                  • CopyFileW.KERNEL32(030DAFB0,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,00000000), ref: 0309EACF
                                                    • Part of subcall function 0309D6B0: RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0309D731
                                                    • Part of subcall function 0309D6B0: RegCloseKey.ADVAPI32(?), ref: 0309D740
                                                  • Sleep.KERNEL32(000003E8), ref: 0309EAFC
                                                    • Part of subcall function 03091AD0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 03091AE9
                                                  • DeleteFileW.KERNEL32(030DAFB0), ref: 0309EB2F
                                                  • Sleep.KERNEL32(00003A98), ref: 0309EB3A
                                                  • DeleteFileW.KERNEL32(030DAFB0), ref: 0309EB41
                                                  • lstrcpyA.KERNEL32(030DA920,ERR), ref: 0309EB61
                                                  • lstrlenA.KERNEL32(030A57C0), ref: 0309EB72
                                                  • lstrlenA.KERNEL32(030A57C0), ref: 0309EBB5
                                                  • _snprintf.MSVCRT ref: 0309EBDE
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309EC15
                                                  • InitializeCriticalSection.KERNEL32(030DB3C8), ref: 0309EC32
                                                  • memset.MSVCRT ref: 0309EC5F
                                                  • wsprintfW.USER32 ref: 0309EC75
                                                  • DeleteFileW.KERNEL32(?), ref: 0309EC95
                                                  • GetLastError.KERNEL32 ref: 0309EC97
                                                    • Part of subcall function 03091CF0: GetFileAttributesW.KERNEL32(?), ref: 03091CF7
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E880,00000000,00000000,00000000), ref: 0309ECB2
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309ECBB
                                                  • CreateThread.KERNEL32(00000000,00000000,0309E990,00000000,00000000,00000000), ref: 0309ECCC
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309ECCF
                                                  • lstrlenA.KERNEL32(030DB3E0), ref: 0309ED26
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,?,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000), ref: 0309ED5E
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E770,030DB990,00000000,00000000), ref: 0309ED83
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309ED86
                                                  • CreateThread.KERNEL32(00000000,00000000,0309FC90,00000000,00000000,00000000), ref: 0309EDA1
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309EDA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$File$CloseCreate$HandleThread$DeleteLibraryLoadmemset$SleepTime_snprintf$AttributesCopyCriticalErrorInitializeLastMutexObjectSectionSingleSystemValueWait_vsnprintflstrcpywsprintf
                                                  • String ID: %s:Zone.Identifier$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$ERR$IPC_Check$Software\Microsoft\Windows\CurrentVersion\Run$Software\Microsoft\Windows\CurrentVersion\Run$binBot$msnint$msnmsg$running$secur32.dll$wininet.dll$ws2_32.dll
                                                  • API String ID: 4164503275-4218648717
                                                  • Opcode ID: 565601320f52455aa1423f51653dbc209272b294c4d77a044197cb968d51cb61
                                                  • Instruction ID: f5fc6204cfedc64fbf67bbaa16ebde301dd79f2d6c11e36d2245270c48ca09ca
                                                  • Opcode Fuzzy Hash: 565601320f52455aa1423f51653dbc209272b294c4d77a044197cb968d51cb61
                                                  • Instruction Fuzzy Hash: D7811778B837147EFE60F7A4AC47F9E769C9B40F00F040056FA15BD1C7D9E4A9409A6A
                                                  Function 0309E130 Relevance: 61.5, APIs: 24, Strings: 11, Instructions: 255sleepstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(030DB3C8), ref: 0309E14B
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A013
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A04F
                                                  • GetLastError.KERNEL32 ref: 0309E17E
                                                  • GetLastError.KERNEL32 ref: 0309E18B
                                                  • GetLastError.KERNEL32 ref: 0309E198
                                                  • GetLastError.KERNEL32 ref: 0309E1A5
                                                  • Sleep.KERNEL32(00003A98), ref: 0309E1C8
                                                  • Sleep.KERNEL32(000003E8), ref: 0309E22B
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309E24D
                                                  • _memicmp.MSVCRT ref: 0309E259
                                                  • MoveFileExW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,0000000B), ref: 0309E292
                                                  • MoveFileExW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,00000004), ref: 0309E2A4
                                                  • lstrcpyA.KERNEL32(030DA920,00000000), ref: 0309E2C0
                                                  • lstrcmpA.KERNEL32(?,030A2C7C), ref: 0309E2D3
                                                  • Sleep.KERNEL32(000007D0), ref: 0309E2FA
                                                  • Sleep.KERNEL32(000007D0), ref: 0309E30A
                                                    • Part of subcall function 0309BA00: memset.MSVCRT ref: 0309BA1E
                                                    • Part of subcall function 0309BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0309BA42
                                                  • DeleteFileW.KERNEL32(00000000), ref: 0309E43A
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309E45D
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0309E46B
                                                  • LeaveCriticalSection.KERNEL32(030DB3C8), ref: 0309E478
                                                  Strings
                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0309E3F4
                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0309E405
                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0309E383, 0309E3AE
                                                  • rebooting, xrefs: 0309E2DE
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 0309E279, 0309E28C, 0309E29E, 0309E3A8, 0309E415
                                                  • QUIT :%s, xrefs: 0309E2E3
                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0309E3D1
                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0309E36E
                                                  • [d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d, xrefs: 0309E41C
                                                  • [d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s), xrefs: 0309E359
                                                  • bsod, xrefs: 0309E312
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastSleep$File$CriticalMoveSectionstrtok$??3@DeleteEnterFreeHeapLeave_memicmplstrcmplstrcpylstrlenmemsetwvsprintf
                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$QUIT :%s$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$bsod$rebooting
                                                  • API String ID: 4206007775-3140567578
                                                  • Opcode ID: 30206d9af6adbd3a9a4e8de4261618c4b99bb9b8396598bc69d373852d2e908f
                                                  • Instruction ID: 1ce5ff758abc8f06300c0b24d032b913bfaae179cfa911f4399cb5a0f73b3c22
                                                  • Opcode Fuzzy Hash: 30206d9af6adbd3a9a4e8de4261618c4b99bb9b8396598bc69d373852d2e908f
                                                  • Instruction Fuzzy Hash: C081D6B4A43704FFFF10EBA8EC49E6EB7B8EF45600F144516F9229A146D6759900EB21
                                                  Function 0309DDB0 Relevance: 56.3, APIs: 20, Strings: 12, Instructions: 281sleepstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnterCriticalSection.KERNEL32(030DB3C8), ref: 0309DDCF
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A013
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A04F
                                                  • strstr.MSVCRT ref: 0309DDF4
                                                  • lstrlenA.KERNEL32(?), ref: 0309DE11
                                                  • toupper.MSVCRT ref: 0309DE28
                                                  • GetLastError.KERNEL32 ref: 0309DE68
                                                  • GetLastError.KERNEL32 ref: 0309DE71
                                                  • GetLastError.KERNEL32 ref: 0309DE7A
                                                  • GetLastError.KERNEL32 ref: 0309DE83
                                                  • Sleep.KERNEL32(00003A98), ref: 0309DEA8
                                                  • Sleep.KERNEL32(000003E8), ref: 0309DF16
                                                  • _stricmp.MSVCRT(?,00000000), ref: 0309DF3D
                                                  • Sleep.KERNEL32(00000032), ref: 0309DF6A
                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"],?,?,?,00000000), ref: 0309E021
                                                  • GetLastError.KERNEL32 ref: 0309E059
                                                  • GetLastError.KERNEL32([d="%s" s="%d bytes"] Error creating process "%S" [e="%d"],?,?,?,00000000), ref: 0309E037
                                                    • Part of subcall function 0309BA00: memset.MSVCRT ref: 0309BA1E
                                                    • Part of subcall function 0309BA00: wvsprintfA.USER32(00000000,00000000,00000000), ref: 0309BA42
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309E0DD
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0309E0EB
                                                  • LeaveCriticalSection.KERNEL32(030DB3C8), ref: 0309E0F8
                                                  Strings
                                                  • [d='%s"] Error getting application data path [e="%d"], xrefs: 0309E080
                                                  • [d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s), xrefs: 0309DFFE
                                                  • [d="%s"] Error downloading file [e="%d"], xrefs: 0309E08E
                                                  • [d="%s"] Error writing download to "%S" [e="%d"], xrefs: 0309E042
                                                  • http://, xrefs: 0309DDEE
                                                  • [d="%s"] Error getting temporary filename. [e="%d"], xrefs: 0309E060
                                                  • dlds, xrefs: 0309DE44, 0309DFA6
                                                  • [d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"], xrefs: 0309E017
                                                  • [d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d, xrefs: 0309E0A5
                                                  • ERR, xrefs: 0309DFEC
                                                  • [d="%s" s="%d bytes"] Error creating process "%S" [e="%d"], xrefs: 0309E030
                                                  • exe, xrefs: 0309DEE4
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$Sleep$CriticalSectionstrtok$??3@EnterFreeHeapLeave_stricmplstrlenmemsetstrstrtoupperwvsprintf
                                                  • String ID: ERR$[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)$[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]$[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d$[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]$[d="%s"] Error downloading file [e="%d"]$[d="%s"] Error getting temporary filename. [e="%d"]$[d="%s"] Error writing download to "%S" [e="%d"]$[d='%s"] Error getting application data path [e="%d"]$dlds$exe$http://
                                                  • API String ID: 3190375853-4059846736
                                                  • Opcode ID: 5633e94e357eebdc4870b6214bc1af0c7f05d4d3b7bff49a401e8f591e9ef11b
                                                  • Instruction ID: 9bd5624d9f237bd5e76be19c6050417b88edb3c7baba33f919c52047a4dc038c
                                                  • Opcode Fuzzy Hash: 5633e94e357eebdc4870b6214bc1af0c7f05d4d3b7bff49a401e8f591e9ef11b
                                                  • Instruction Fuzzy Hash: 3E911779A43704AFEF10EB98DC95ABFB3F8EF84700F18441AE815A7245D670E940E761
                                                  Function 030A0910 Relevance: 52.7, APIs: 22, Strings: 8, Instructions: 172sleepstringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030A0930
                                                  • GetProcessHeap.KERNEL32 ref: 030A093D
                                                  • memset.MSVCRT ref: 030A095D
                                                  • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 030A0982
                                                  • ShellExecuteA.SHELL32(00000000,OPEN,00000000,00000000,00000000,00000005), ref: 030A09BF
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097401
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097419
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 03097431
                                                    • Part of subcall function 030973E0: _snprintf.MSVCRT ref: 03097449
                                                    • Part of subcall function 030973E0: _vsnprintf.MSVCRT ref: 0309746B
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 0309747A
                                                  • GetTickCount.KERNEL32 ref: 030A09CF
                                                  • Sleep.KERNEL32 ref: 030A0A05
                                                  • OpenMutexA.KERNEL32(001F0001,00000000,030A57AC), ref: 030A0A17
                                                  • GetLastError.KERNEL32 ref: 030A0A27
                                                  • GetLastError.KERNEL32 ref: 030A0A2E
                                                  • ExitProcess.KERNEL32 ref: 030A0A32
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 030A0A3D
                                                  • _snprintf.MSVCRT ref: 030A0A60
                                                  • ExitProcess.KERNEL32 ref: 030A0A79
                                                  • ExitProcess.KERNEL32 ref: 030A0A98
                                                  • GetModuleFileNameW.KERNEL32(00000000,030DAFB0,00000208), ref: 030A0ACC
                                                  • wsprintfW.USER32 ref: 030A0ADE
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,000000FF,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,00000104,00000000,00000000), ref: 030A0B06
                                                  • lstrcpynW.KERNEL32(030DB1B8,00000000,00000208), ref: 030A0B13
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,030DB3E0,00000104,00000000,00000000), ref: 030A0B2E
                                                  • Sleep.KERNEL32(000009C4), ref: 030A0B59
                                                  • ExitProcess.KERNEL32 ref: 030A0B70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Process$Exitmemset$lstrlen$ByteCharErrorFileLastModuleMultiNameSleepWide_snprintf$CountExecuteHeapMutexOpenShellTick_vsnprintflstrcpynwsprintf
                                                  • String ID: %08x$%s\Microsoft\Windows\%s.exe$30e4*ga1$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$OPEN$binBot$running
                                                  • API String ID: 2173303953-110749845
                                                  • Opcode ID: 5cd398cd341c5907cf6d1f00205764ee65c62906661070b383d0414fa5dd28af
                                                  • Instruction ID: ac472f91c3bfd4e84682f8891a93cf87c8ae657b3e52098cc4ae99bcf5c12e79
                                                  • Opcode Fuzzy Hash: 5cd398cd341c5907cf6d1f00205764ee65c62906661070b383d0414fa5dd28af
                                                  • Instruction Fuzzy Hash: EE51D279B83B047FEB10F7E8BC0AFDE3AA89B94B41F044051F619EA0C5DAF455408B65
                                                  Function 03097870 Relevance: 51.0, APIs: 11, Strings: 18, Instructions: 249stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03097898
                                                  • lstrlenA.KERNEL32(-00000005,00000000,00000000,?,?,?,00000000,?), ref: 0309795D
                                                  • _snprintf.MSVCRT ref: 0309797B
                                                  • _snprintf.MSVCRT ref: 030979B7
                                                  • lstrlenA.KERNEL32(030DA2B0,?,00000000,?), ref: 03097A5A
                                                  • lstrlenA.KERNEL32(030DA4B0), ref: 03097A69
                                                  • _snprintf.MSVCRT ref: 03097AD9
                                                  • _stricmp.MSVCRT(030DA2B0,anonymous,00000000,000001FF,ftp://%s:%s@%s:%d,030DA2B0,030DA4B0,00000000,00000000), ref: 03097AE8
                                                  • _snprintf.MSVCRT ref: 03097B66
                                                    • Part of subcall function 03092460: GetProcessHeap.KERNEL32(?,030920DE,?), ref: 0309246C
                                                    • Part of subcall function 03092460: HeapAlloc.KERNEL32(03490000,00000008,030920DE,?,030920DE,?), ref: 0309247E
                                                  • lstrcpyA.KERNEL32(030DA2B0,030A1335,?,00000000,?), ref: 03097BBC
                                                  • lstrcpyA.KERNEL32(030DA4B0,030A1335), ref: 03097BC8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _snprintf$lstrlen$Heaplstrcpy$AllocProcess_stricmpmemset
                                                  • String ID: %s.%s (p='%S')$%s:%s@%s:%d$C:\Windows\SysWOW64\calc.exe$FEAT$LIST$PASS$PASV$STAT$TYPE$USER$anonymous$block$ftp://%s:%s@%s:%d$ftpgrab$ftplog$pop3://%s:%s@%s:%d$popgrab$poplog
                                                  • API String ID: 389836911-1830104289
                                                  • Opcode ID: 9aee0c03b6af33fddd47840ca738833b5a73af742dc23f844125a3ec640a732d
                                                  • Instruction ID: 674c925169afdc36d698637a6a38802234382422c682645186cd2a071c5c4b92
                                                  • Opcode Fuzzy Hash: 9aee0c03b6af33fddd47840ca738833b5a73af742dc23f844125a3ec640a732d
                                                  • Instruction Fuzzy Hash: 29815833B53745AEFF34EEAC9C49FAE3AEC9B80F04F0C4457E814AA142D6759550A262
                                                  Function 0309FE00 Relevance: 48.2, APIs: 32, Instructions: 223stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000,030A037C,?,030A32E4,00000000,00000000,httpi), ref: 0309FE11
                                                  • lstrlenA.KERNEL32(?), ref: 0309FE40
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 0309FE47
                                                  • lstrlenA.KERNEL32(?), ref: 0309FE5E
                                                  • lstrlenA.KERNEL32(?), ref: 0309FE72
                                                  • lstrlenA.KERNEL32(?), ref: 0309FE7C
                                                  • HeapAlloc.KERNEL32(?,00000008,00000002), ref: 0309FE89
                                                  • strtok.MSVCRT ref: 0309FEA2
                                                  • lstrcpyA.KERNEL32(00000000,030A1335), ref: 0309FEBB
                                                  • lstrcatA.KERNEL32(00000000,030A19DC), ref: 0309FECD
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309FEE4
                                                  • _memicmp.MSVCRT ref: 0309FEEF
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0309FF0A
                                                  • lstrlenA.KERNEL32(?), ref: 0309FF14
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0309FF1F
                                                  • lstrlenA.KERNEL32(?), ref: 0309FF33
                                                  • lstrcatA.KERNEL32(00000000,030A3328), ref: 0309FF4B
                                                  • strstr.MSVCRT ref: 0309FF5C
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309FF65
                                                  • lstrlenA.KERNEL32(?), ref: 0309FF6B
                                                  • strncat.MSVCRT ref: 0309FF77
                                                  • lstrcatA.KERNEL32(00000000,030A2B54), ref: 0309FF85
                                                  • lstrlenA.KERNEL32(?), ref: 0309FF8F
                                                  • HeapAlloc.KERNEL32(?,00000008,00000000), ref: 0309FF9A
                                                  • lstrlenA.KERNEL32(?), ref: 0309FFAA
                                                    • Part of subcall function 0309FD80: isalnum.MSVCRT ref: 0309FDAC
                                                    • Part of subcall function 0309FD80: strchr.MSVCRT ref: 0309FDBE
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 0309FFBE
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 0309FFCB
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0309FFDF
                                                  • strtok.MSVCRT ref: 0309FFEC
                                                  • HeapFree.KERNEL32(?,00000000,?), ref: 030A000F
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A001C
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A003C
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$lstrcat$AllocFree$strtok$Process_memicmpisalnumlstrcpystrchrstrncatstrstr
                                                  • String ID:
                                                  • API String ID: 423345748-0
                                                  • Opcode ID: 79a1af79cf068186b313a35dc7c28fdd90dcfbd0408e40a3afbb5e16832bb55c
                                                  • Instruction ID: 8168a863f14212bde470c57151136840724c55e1613bdc83503237ed2cfa251c
                                                  • Opcode Fuzzy Hash: 79a1af79cf068186b313a35dc7c28fdd90dcfbd0408e40a3afbb5e16832bb55c
                                                  • Instruction Fuzzy Hash: 3061B479902A19BFDB14EFA8EC84EBFB7B8EF84641F144119F804D7244DB74D9419BA0
                                                  Function 030999B0 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 205networkstringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030999D5
                                                  • memset.MSVCRT ref: 030999EF
                                                  • WSAStartup.WS2_32(00000002,?), ref: 03099A00
                                                    • Part of subcall function 03099300: inet_addr.WS2_32(0309226E), ref: 03099308
                                                    • Part of subcall function 03099300: gethostbyname.WS2_32(0309226E), ref: 03099313
                                                  • htons.WS2_32(00000050), ref: 03099A28
                                                  • GetTickCount.KERNEL32 ref: 03099A3A
                                                  • GetTickCount.KERNEL32 ref: 03099A4D
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 03099A7B
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 03099A96
                                                  • connect.WS2_32(?,?,00000010), ref: 03099AB1
                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 03099ABE
                                                  • GetTickCount.KERNEL32 ref: 03099AC4
                                                  • lstrcpyA.KERNEL32(00000000,X-a: b), ref: 03099AFE
                                                  • lstrcpyA.KERNEL32(00000000,Connection: Close), ref: 03099B0C
                                                  • lstrlenA.KERNEL32(00000000), ref: 03099B0F
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 03099B41
                                                  • Sleep.KERNEL32(000003E8,?,00000000,00000000,00000000), ref: 03099B51
                                                  • lstrlenA.KERNEL32(00000000), ref: 03099B5E
                                                  • GetTickCount.KERNEL32 ref: 03099B66
                                                  • Sleep.KERNEL32(000009C4), ref: 03099B7F
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 03099BBE
                                                  • GetTickCount.KERNEL32 ref: 03099BD2
                                                  • lstrlenA.KERNEL32(00000000), ref: 03099BE4
                                                  • send.WS2_32(?,00000000,00000000,00000000), ref: 03099C1E
                                                  • closesocket.WS2_32(?), ref: 03099C38
                                                  • GetTickCount.KERNEL32 ref: 03099C43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleeplstrlensend$lstrcpymemset$Startupclosesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                  • String ID: Connection: Close$X-a: b
                                                  • API String ID: 1989272289-3524857483
                                                  • Opcode ID: 8c1cf535dfeb0f47c9d183c0fd748a975ab32dbd38d99d3659b43d0bbfbe3a44
                                                  • Instruction ID: 2d54fb57df691264392ce89621022163d8bcf23025d4974d3dd6451e905bf8de
                                                  • Opcode Fuzzy Hash: 8c1cf535dfeb0f47c9d183c0fd748a975ab32dbd38d99d3659b43d0bbfbe3a44
                                                  • Instruction Fuzzy Hash: FB712C76902618BBEB10EBE8ED45FDEB3BCEB88700F004559E909A7180D774AE41DF90
                                                  Function 0309AFA0 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 149stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Alloc_memicmp_snprintfmemsetstrtok$Freelstrcpynsscanf
                                                  • String ID: HTTP$Host: $POST /%1023s$http://%s/$http://%s/%s
                                                  • API String ID: 3179755921-1264106924
                                                  • Opcode ID: 421d1a12987d8347cd7ff234dee0fb1be4bc866f44e7a0c69a2fe27388048a24
                                                  • Instruction ID: d8f0ac02a1d0801bb7beb831404e9d3f008cbb2c684ef61f784e0e586327f80f
                                                  • Opcode Fuzzy Hash: 421d1a12987d8347cd7ff234dee0fb1be4bc866f44e7a0c69a2fe27388048a24
                                                  • Instruction Fuzzy Hash: 3B4118B6E437187BEB20EAA8AC41FEF73ECDF84650F044491FB09A7140E6745A058BE0
                                                  Function 03096A40 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 166stringthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03096A68
                                                  • lstrlenA.KERNEL32 ref: 03096B03
                                                  • _memicmp.MSVCRT ref: 03096B0E
                                                  • _memicmp.MSVCRT ref: 03096B22
                                                  • _memicmp.MSVCRT ref: 03096B36
                                                  • sscanf.MSVCRT ref: 03096B4F
                                                  • sscanf.MSVCRT ref: 03096B69
                                                  • lstrlenA.KERNEL32(?), ref: 03096BD5
                                                  • SetFileAttributesW.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000080), ref: 03096C31
                                                  • MoveFileExW.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000000,00000004), ref: 03096C40
                                                  • closesocket.WS2_32(?), ref: 03096C60
                                                  • ExitThread.KERNEL32 ref: 03096C67
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$File_memicmp$CriticalSectionsprintfsscanf$AttributesCreateEnterExitLeaveMoveThread_snprintf_vsnprintfclosesocket
                                                  • String ID: %s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).$%s.Detected process "%S" sending an IRC packet to server %s:%d.$%s:%d$C:\Windows\SysWOW64\calc.exe$JOIN$JOIN %255s$PRIVMSG$PRIVMSG %255s$block$cnc$pdef
                                                  • API String ID: 1085873876-2761489137
                                                  • Opcode ID: 37832fa2738a65df55b6808da763c7da1646682524512f804cf1723555c62608
                                                  • Instruction ID: 5c4382c1037b877475231ac1ca08c2c66be09a6fd1430194b8ac6d5468218fb8
                                                  • Opcode Fuzzy Hash: 37832fa2738a65df55b6808da763c7da1646682524512f804cf1723555c62608
                                                  • Instruction Fuzzy Hash: 4A510775E0370C7BEF20EAD8AC82FEE73E8AB45750F084456F914AB141E6769580E6A1
                                                  Function 030A0050 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 135stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030A0071
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 030A0080
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A00AB
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 030A00B6
                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 030A00CB
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A00D2
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 030A00E3
                                                  • strtok.MSVCRT ref: 030A00F9
                                                  • strstr.MSVCRT ref: 030A0117
                                                  • strstr.MSVCRT ref: 030A0129
                                                  • lstrcatA.KERNEL32(00000000,030A2B84), ref: 030A0141
                                                  • _memicmp.MSVCRT ref: 030A014E
                                                  • lstrcatA.KERNEL32(00000000,Content-Length: ), ref: 030A0160
                                                  • _snprintf.MSVCRT ref: 030A0177
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 030A018A
                                                  • strtok.MSVCRT ref: 030A0193
                                                  • lstrcatA.KERNEL32(00000000,), ref: 030A01AB
                                                  • lstrcatA.KERNEL32(00000000,00000000), ref: 030A01B2
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030A01BE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcat$Heap$Alloclstrlenstrstrstrtok$FreeProcess_memicmp_snprintflstrcpymemset
                                                  • String ID: $Content-Length:
                                                  • API String ID: 4006885983-3599722475
                                                  • Opcode ID: bf5c9e2741615cca02a09d283bd53c8ffc9d786702cd8c7ead0065ff0d3c05b4
                                                  • Instruction ID: cffc892cfb6cba8c81aaca319f8eee40fab29d479a36f87bfa64e05f05961f06
                                                  • Opcode Fuzzy Hash: bf5c9e2741615cca02a09d283bd53c8ffc9d786702cd8c7ead0065ff0d3c05b4
                                                  • Instruction Fuzzy Hash: B641F475A03F1C7BD710EAECBC45FEFB7AC9F94711F084154FD08AA241E6B48A458AA1
                                                  Function 0309A310 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 127stringfilesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309A335
                                                  • memset.MSVCRT ref: 0309A34F
                                                  • memset.MSVCRT ref: 0309A369
                                                  • _vsnprintf.MSVCRT ref: 0309A382
                                                  • sprintf.MSVCRT ref: 0309A39A
                                                  • lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                  • _snprintf.MSVCRT ref: 0309A3CC
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                  • sprintf.MSVCRT ref: 0309A3EC
                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                  • lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                  • EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                  • LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0309A484
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A48B
                                                  • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A496
                                                  • LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A4A1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CriticalSectionmemset$FileLeavesprintf$CloseCreateEnterHandleSleepWrite_snprintf_vsnprintf
                                                  • String ID: %d.$30e4*ga1$\\.\pipe\%08x_ipc
                                                  • API String ID: 4010528547-1120921377
                                                  • Opcode ID: 028b4eff737f1996e4d1506170c62515d65d94488c5456d184cdcb1eea294a27
                                                  • Instruction ID: 9d682da5bcdb83dae20d01fdf84f11913cb338a3ada853eebaa84a12e7aa6061
                                                  • Opcode Fuzzy Hash: 028b4eff737f1996e4d1506170c62515d65d94488c5456d184cdcb1eea294a27
                                                  • Instruction Fuzzy Hash: 6E41C5BA64271CBFD714E7E8EC45FEE736CDBC8711F004594F708AA081DAB46A448B65
                                                  Function 030A01E0 Relevance: 36.2, APIs: 16, Strings: 8, Instructions: 189memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030A0202
                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 030A0213
                                                  • EnterCriticalSection.KERNEL32(030DB4E4), ref: 030A0223
                                                  • strstr.MSVCRT ref: 030A0243
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A0254
                                                  • HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 030A025F
                                                  • lstrcpyA.KERNEL32(00000000,00000000), ref: 030A0272
                                                  • strstr.MSVCRT ref: 030A0281
                                                  • _snprintf.MSVCRT ref: 030A02C8
                                                  • strstr.MSVCRT ref: 030A02EF
                                                  • atoi.MSVCRT ref: 030A0322
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A0386
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A03E4
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A03EE
                                                  • LeaveCriticalSection.KERNEL32(030DB4E4), ref: 030A03FD
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030A041F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$Freestrstr$CriticalSectionlstrlen$AllocEnterLeaveProcess_snprintfatoilstrcpymemset
                                                  • String ID: $%s.%s hijacked!$%s=$http$httpi$httpspread$int$msg
                                                  • API String ID: 2097228407-1593535274
                                                  • Opcode ID: 08426d4e001d60580304da470d4fcf611409a627a8894f1c0ed26c51e1d8fd08
                                                  • Instruction ID: 297c94c9894a8858d1a7c3b3f743aeaae5f8db696424df081fb7182aa5fbca5a
                                                  • Opcode Fuzzy Hash: 08426d4e001d60580304da470d4fcf611409a627a8894f1c0ed26c51e1d8fd08
                                                  • Instruction Fuzzy Hash: 1E51B776A47F1DAFDB10DAE8BC85BFEF7BCFB44600F084429E914A6101DA74990087A0
                                                  Function 0309D220 Relevance: 34.7, APIs: 11, Strings: 12, Instructions: 209stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: strstrstrtok$lstrcmplstrlen
                                                  • String ID: 001$332$376$433$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$JOIN$KCIK %s$MOTD$PING$PPNG %s$PPPPMSG$SEND %s %s
                                                  • API String ID: 4048585210-2797855610
                                                  • Opcode ID: 575bb8f3ea5af29c431aba8e53d78566564680159890695369ea9c7fc55bd3b2
                                                  • Instruction ID: b45dba1bc4b05842f9979124e83a7f400a7c29cde40222c925f854edde7a352e
                                                  • Opcode Fuzzy Hash: 575bb8f3ea5af29c431aba8e53d78566564680159890695369ea9c7fc55bd3b2
                                                  • Instruction Fuzzy Hash: 3851297AB833092BFE10F66CBC41EAEB39CEB85515F0485A7FC18DA102F971E81156E1
                                                  Function 0309AE00 Relevance: 34.7, APIs: 23, Instructions: 165stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,?,03097CC2,00000000,030A2914,?,?,?,?,?,?), ref: 0309AE11
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000001,?,03097CC2,00000000,030A2914,?,?,?,?,?,?,?,00000000), ref: 0309AE23
                                                  • HeapAlloc.KERNEL32(03490000,00000008,-00000002,?,?,?,?,?,?,00000000), ref: 0309AE41
                                                  • strstr.MSVCRT ref: 0309AE59
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0309AE70
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0309AE77
                                                  • lstrcatA.KERNEL32(00000000,030A2B54), ref: 0309AE7F
                                                  • strtok.MSVCRT ref: 0309AE8E
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309AEA1
                                                  • _strnicmp.MSVCRT ref: 0309AEA6
                                                  • strtok.MSVCRT ref: 0309AEB9
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309AED5
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309AEEB
                                                  • strstr.MSVCRT ref: 0309AF10
                                                  • lstrlenA.KERNEL32(00000001), ref: 0309AF20
                                                  • lstrlenA.KERNEL32(00000001), ref: 0309AF27
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0309AF2B
                                                  • lstrlenA.KERNEL32(00000001), ref: 0309AF3D
                                                  • lstrcpyA.KERNEL32(?,00000001), ref: 0309AF58
                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0309AF5F
                                                  • lstrlenA.KERNEL32(00000001,?,00000001), ref: 0309AF6B
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000,?,00000001), ref: 0309AF82
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000,?,00000001), ref: 0309AF91
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Free$lstrcpy$Allocstrstrstrtok$??2@_strnicmplstrcat
                                                  • String ID:
                                                  • API String ID: 3119447416-0
                                                  • Opcode ID: 457df6ef68ee812cf84a54136c4d6972e6f99a28ce597b6cb14df54ce4ecaf5d
                                                  • Instruction ID: a488e710cfc78af891f12813f8aeffe22dca10465a8403bfe4ff68f1446f81ab
                                                  • Opcode Fuzzy Hash: 457df6ef68ee812cf84a54136c4d6972e6f99a28ce597b6cb14df54ce4ecaf5d
                                                  • Instruction Fuzzy Hash: 0C41A379A02714AFDB10EFA8EC80FAF77BCEF89610F144059FD049B240DA78E91197A5
                                                  Function 030925D0 Relevance: 31.7, APIs: 7, Strings: 14, Instructions: 191stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • sscanf.MSVCRT ref: 0309260F
                                                    • Part of subcall function 030A07D0: lstrlenA.KERNEL32(0309262A,?,?,00000000,?,0309262A,?,030A7008), ref: 030A07DC
                                                    • Part of subcall function 030A07D0: lstrcpyA.KERNEL32(00000000,0309262A,?,030A7008), ref: 030A07F9
                                                  • strstr.MSVCRT ref: 0309264F
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                  • atoi.MSVCRT ref: 030926FB
                                                  • atoi.MSVCRT ref: 03092713
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309276B
                                                  • lstrlenA.KERNEL32(00000000,00000000), ref: 0309278C
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 030927F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$atoi$FreeHeap_snprintflstrcpymemsetsscanfstrstr
                                                  • String ID: %s.p10-> Message hijacked!$%s.p10-> Message to %s hijacked!$%s.p21-> Message hijacked!$CAL $CAL %d %256s$MSG $MSG $SDG $X-MMS-IM-Format:$baddr$msn$msnint$msnmsg$msnu
                                                  • API String ID: 1527159713-2027340701
                                                  • Opcode ID: a4f5438a22670a1c21c2b4ec75920d0fd53713c202f1cbd52933d0b400842ae6
                                                  • Instruction ID: 29dc74f233b3688f78f9f388271dc31348ed71aa21da63d8b6c93494d3585d57
                                                  • Opcode Fuzzy Hash: a4f5438a22670a1c21c2b4ec75920d0fd53713c202f1cbd52933d0b400842ae6
                                                  • Instruction Fuzzy Hash: 1E515F7AE437087BEF20EAECBC819EFB3FCDB44511F04886BE814AA202D57595415692
                                                  Function 03097C00 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 175stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strstr.MSVCRT ref: 03097C62
                                                  • _stricmp.MSVCRT(?,cPanel,blog,%s-%s-%s,?,?,00000000), ref: 03097D58
                                                  • _stricmp.MSVCRT(00000000,WHM), ref: 03097D71
                                                  • _stricmp.MSVCRT(?,WHCMS), ref: 03097D8A
                                                  • _stricmp.MSVCRT(?,Directadmin), ref: 03097DA3
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 03097E02
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 03097E12
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097401
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097419
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 03097431
                                                    • Part of subcall function 030973E0: _snprintf.MSVCRT ref: 03097449
                                                    • Part of subcall function 030973E0: _vsnprintf.MSVCRT ref: 0309746B
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 0309747A
                                                    • Part of subcall function 03097330: memset.MSVCRT ref: 03097351
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(?), ref: 03097369
                                                    • Part of subcall function 03097330: _snprintf.MSVCRT ref: 03097381
                                                    • Part of subcall function 03097330: _vsnprintf.MSVCRT ref: 030973A3
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(00000000), ref: 030973B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$_stricmp$_snprintf_vsnprintf$??3@CriticalSectionsprintf$CreateEnterFileLeavestrstr
                                                  • String ID: %s-%s-%s$%s.%s ->> %s (%s : %s)$%s.%s ->> %s : %s$Directadmin$WHCMS$WHM$blog$cPanel$ffgrab$httplogin$iegrab
                                                  • API String ID: 3716863481-3153587688
                                                  • Opcode ID: bd63eaf30c1384692083aec5c1219804ca4f1a19d46e5243544293cb779d9809
                                                  • Instruction ID: 3f4f9bd26b06db932d84d5f56461632d89bdfd757b8d782e337c476c32f9d9c6
                                                  • Opcode Fuzzy Hash: bd63eaf30c1384692083aec5c1219804ca4f1a19d46e5243544293cb779d9809
                                                  • Instruction Fuzzy Hash: E051B7BAE13619AFEF14EBD8EC41DBF73BCAF44900F08401AF81696601E675E901D7A1
                                                  Function 0309E590 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 141stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309E5B0
                                                  • EnterCriticalSection.KERNEL32(030DB3C8), ref: 0309E5C9
                                                  • strtok.MSVCRT ref: 0309E5FE
                                                  • strstr.MSVCRT ref: 0309E617
                                                  • strstr.MSVCRT ref: 0309E62D
                                                  • strstr.MSVCRT ref: 0309E642
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309E655
                                                  • lstrlenA.KERNEL32(00000000), ref: 0309E65B
                                                  • lstrcpyA.KERNEL32(00000000,030A1335), ref: 0309E678
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000000), ref: 0309E687
                                                    • Part of subcall function 03097500: lstrlenA.KERNEL32(?), ref: 0309752B
                                                    • Part of subcall function 03097500: _snprintf.MSVCRT ref: 03097547
                                                    • Part of subcall function 03097500: _vsnprintf.MSVCRT ref: 03097569
                                                    • Part of subcall function 03097500: lstrcmpA.KERNEL32(?,bdns), ref: 0309758B
                                                    • Part of subcall function 03097500: StrStrIA.SHLWAPI(?,00000000), ref: 0309759F
                                                    • Part of subcall function 03097500: lstrlenA.KERNEL32(?), ref: 030975B9
                                                  • strtok.MSVCRT ref: 0309E6CF
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309E71E
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0309E72D
                                                  • LeaveCriticalSection.KERNEL32(030DB3C8), ref: 0309E73A
                                                    • Part of subcall function 0309AA10: memset.MSVCRT ref: 0309AA31
                                                    • Part of subcall function 0309AA10: lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0309AA45
                                                    • Part of subcall function 0309AA10: InternetOpenA.WININET(00000000,?,?,?,?), ref: 0309AA60
                                                    • Part of subcall function 0309AA10: lstrlenA.KERNEL32(?), ref: 0309AA78
                                                    • Part of subcall function 0309AA10: InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0309AA8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$strstr$CriticalInternetOpenSectionlstrcpymemsetstrtok$??3@EnterFreeHeapLeave_snprintf_vsnprintflstrcmplstrcpyn
                                                  • String ID: [DNS]: Blocked %d domain(s) - Redirected %d domain(s)$bdns$block
                                                  • API String ID: 1940452476-536441337
                                                  • Opcode ID: 4c3e52c7d33f217232d1fcf0b4fc4575d7cf04217ec3684bcbcd72129b88560f
                                                  • Instruction ID: 4caec294167f550fe4b626ab40eab526f0741eea58cbaf1a1c89643dfff8f4d6
                                                  • Opcode Fuzzy Hash: 4c3e52c7d33f217232d1fcf0b4fc4575d7cf04217ec3684bcbcd72129b88560f
                                                  • Instruction Fuzzy Hash: C441157AA02B087FDB14EAE8FC41DEFB7BCDBC0640F144456F915AA102E6B55A40D7A1
                                                  Function 030A0C80 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 100memorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32 ref: 030A0C89
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\SysWOW64\calc.exe,00000104), ref: 030A0C9F
                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\SysWOW64\calc.exe,00000208), ref: 030A0CB0
                                                  • GetWindowsDirectoryA.KERNEL32(C:\Windows,00000104), ref: 030A0CC0
                                                    • Part of subcall function 030919F0: wcsrchr.MSVCRT ref: 030919F9
                                                  • InitializeCriticalSection.KERNEL32(030DAC34), ref: 030A0CE3
                                                  • InitializeCriticalSection.KERNEL32(030DB4E4), ref: 030A0CEA
                                                  • MoveFileExW.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000000,00000004), ref: 030A0DA5
                                                    • Part of subcall function 0309A150: memset.MSVCRT ref: 0309A170
                                                    • Part of subcall function 0309A150: GetWindowsDirectoryW.KERNEL32(?,00000208,?,?,?), ref: 0309A184
                                                    • Part of subcall function 0309A150: _memicmp.MSVCRT ref: 0309A1C3
                                                  • SetFileAttributesW.KERNEL32(C:\Windows\SysWOW64\calc.exe,00000080), ref: 030A0D96
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000E9F0,00000000,00000000,00000000), ref: 030A0DED
                                                  • CloseHandle.KERNEL32(00000000), ref: 030A0DF4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: File$CriticalDirectoryInitializeModuleNameSectionWindows$AttributesCloseCreateHandleHeapMoveProcessThread_memicmpmemsetwcsrchr
                                                  • String ID: %s.%S$C:\Windows$C:\Windows\SysWOW64\calc.exe$C:\Windows\SysWOW64\calc.exe$brk$ruskill
                                                  • API String ID: 2870590860-1440597919
                                                  • Opcode ID: bc943e1ed36ea34239a04c55f1036300f8dbdd369b6f0225807576c79485cd4d
                                                  • Instruction ID: 9420d720568266fb8ce4223207ffefea72dd3ba643db23c138f0772a69cd49bc
                                                  • Opcode Fuzzy Hash: bc943e1ed36ea34239a04c55f1036300f8dbdd369b6f0225807576c79485cd4d
                                                  • Instruction Fuzzy Hash: FF31F636783F04BFE720FBE9BC06F5E37E4AB44F51F040421FA219D086D6E960118A6A
                                                  Function 03091290 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 146threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Filewcsstr$Attributes$ExitMoveThread
                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                  • API String ID: 294512176-1976196219
                                                  • Opcode ID: 50edec1b6a6758499a17ff477514fca354ce674b96b5099fe452211cd810868c
                                                  • Instruction ID: 4e023e867230248b65e340db027766c1c3902227d4ff62d6f552b7aac5adea8c
                                                  • Opcode Fuzzy Hash: 50edec1b6a6758499a17ff477514fca354ce674b96b5099fe452211cd810868c
                                                  • Instruction Fuzzy Hash: 3D411376703B1ABFEB08DE88BC41FDE33ACDB48612F084126FD149A640E775990196A9
                                                  Function 0309B300 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 129stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetProcessHeap.KERNEL32(00000008,00000208), ref: 0309B312
                                                  • HeapAlloc.KERNEL32(00000000), ref: 0309B319
                                                  • memset.MSVCRT ref: 0309B339
                                                  • memset.MSVCRT ref: 0309B354
                                                  • GetWindowsDirectoryW.KERNEL32(?,00000208), ref: 0309B387
                                                  • lstrcpynW.KERNEL32(?,?,00000004), ref: 0309B3A1
                                                  • GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0309B3BB
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0309B3D8
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0309B3F0
                                                  • lstrcatW.KERNEL32(00000000,.exe), ref: 0309B461
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heaplstrlenmemset$AllocDirectoryInformationProcessVolumeWindowslstrcatlstrcpyn
                                                  • String ID: .exe$30e4*ga1$lol$lol.exe
                                                  • API String ID: 1748614950-3879922668
                                                  • Opcode ID: c0f23a228925e9a999cded05d53f3b2ce51c0b1c3f649036865b59e17da0b4cb
                                                  • Instruction ID: 9832589df45e3c7769bafc3e30e3111ff5b17ca46becc8241f6d2a20d42da338
                                                  • Opcode Fuzzy Hash: c0f23a228925e9a999cded05d53f3b2ce51c0b1c3f649036865b59e17da0b4cb
                                                  • Instruction Fuzzy Hash: 3A412E71603718BBDB20C7A9EC05AEFBBB9EF89311F04C1A6F558D6141D6B88A00D7A5
                                                  Function 030910A0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 102stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030910C0
                                                  • lstrcmpW.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 030910D7
                                                  • lstrcmpW.KERNEL32(?,C:\Windows\SysWOW64\calc.exe), ref: 0309111D
                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 03091127
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 03091161
                                                  • lstrcpyA.KERNEL32(030A6D88,00000000), ref: 03091179
                                                  • lstrcpyA.KERNEL32(00000000,030A1335), ref: 03091187
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 030911A0
                                                  • lstrcpyA.KERNEL32(030A6E90,00000000), ref: 030911B3
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharMultiWidelstrcmpmemset$FileMove_snprintflstrlen
                                                  • String ID: %s.%S$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef$ruskill
                                                  • API String ID: 1230166232-1892349087
                                                  • Opcode ID: 0e7656c67cf88f69ed3f25af9e042bc8b1788e5dad4112954cfd4d337db4b5ec
                                                  • Instruction ID: 14bfb06aecc69a2ec65cdbb376ad2a97b7caacbcfc35efb078c15adb25d6c21e
                                                  • Opcode Fuzzy Hash: 0e7656c67cf88f69ed3f25af9e042bc8b1788e5dad4112954cfd4d337db4b5ec
                                                  • Instruction Fuzzy Hash: 753128757427197BFB24DA9CAC82FEE73AC9B85B10F040156FB24AA1C0D6F0A9408669
                                                  Function 030917E0 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 168stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309180E
                                                  • memset.MSVCRT ref: 03091829
                                                  • wcsstr.MSVCRT ref: 03091842
                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 03091888
                                                  • strstr.MSVCRT ref: 03091898
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000208), ref: 030918B7
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 03091905
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstrwcsstr
                                                  • String ID: %s.%S$C:\Windows\SysWOW64\calc.exe$bdns$block$brk$rdns
                                                  • API String ID: 695720605-234551137
                                                  • Opcode ID: 51305d4970d62a5032191fd32596d335ff118914deb4d76f0e2d9e250fc7b6b6
                                                  • Instruction ID: c9fc05e463c1ba581c8347fccac8c771e36bf1bb9391e50ca72275b582eb858c
                                                  • Opcode Fuzzy Hash: 51305d4970d62a5032191fd32596d335ff118914deb4d76f0e2d9e250fc7b6b6
                                                  • Instruction Fuzzy Hash: 9F514776B027097BEF24EE88EC05FEF77BC9B84B01F08415AF8159A181E6B49500D6A1
                                                  Function 0309AA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309AA31
                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0), ref: 0309AA45
                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 0309AA60
                                                  • lstrlenA.KERNEL32(?), ref: 0309AA78
                                                  • InternetOpenUrlA.WININET(?,?,?,00000000,04000000,00000000), ref: 0309AA8C
                                                  • HttpQueryInfoA.WININET(?,20000013,?,?,00000000), ref: 0309AAC0
                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 0309AAE2
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0309AB15
                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 0309AB67
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0309AB85
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0309ABA5
                                                  • InternetCloseHandle.WININET(00000000), ref: 0309ABE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                  • String ID: Mozilla/4.0
                                                  • API String ID: 2392773942-2634101963
                                                  • Opcode ID: 96cac63454be9963d122468e338ac86ef3a851fda6fb6462a7f036fd3c1fbba2
                                                  • Instruction ID: 905f8fbdb49ccdd8c3cd05d2108b3465de3bd0fe93e5a197dd96e250ef9fb780
                                                  • Opcode Fuzzy Hash: 96cac63454be9963d122468e338ac86ef3a851fda6fb6462a7f036fd3c1fbba2
                                                  • Instruction Fuzzy Hash: E951A375A03245AFEB60EF59E884FAA77F8EF88700F05406EE909D7244D7749954CF90
                                                  Function 03092220 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 132networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03092243
                                                  • WSAStartup.WS2_32(00000202,?), ref: 03092257
                                                    • Part of subcall function 03099300: inet_addr.WS2_32(0309226E), ref: 03099308
                                                    • Part of subcall function 03099300: gethostbyname.WS2_32(0309226E), ref: 03099313
                                                  • htons.WS2_32(00000050), ref: 03092288
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 03092297
                                                  • connect.WS2_32(00000000,?,00000010), ref: 030922AE
                                                  • GetTickCount.KERNEL32 ref: 030922C3
                                                  • GetTickCount.KERNEL32 ref: 030922F4
                                                  • GetTickCount.KERNEL32 ref: 03092307
                                                  • send.WS2_32(00000000,00000000,00000400,00000000), ref: 03092344
                                                  • GetTickCount.KERNEL32 ref: 03092350
                                                  • closesocket.WS2_32(00000000), ref: 03092363
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Startupclosesocketconnectgethostbynamehtonsinet_addrmemsetsendsocket
                                                  • String ID: gfff$i.root-servers.org
                                                  • API String ID: 99835129-3534201491
                                                  • Opcode ID: ba94a5b3c98ce94f1acc1b60f1917266660ff8c9fc796869ee444c8d1d386580
                                                  • Instruction ID: 29ccabcf558bfd4738f58f6008eb53d229a3437810b9a28c9a8f6b43b5859dfd
                                                  • Opcode Fuzzy Hash: ba94a5b3c98ce94f1acc1b60f1917266660ff8c9fc796869ee444c8d1d386580
                                                  • Instruction Fuzzy Hash: E7314B75B0230C67EB54E5ADAC417FEA29D8F88610F044566E90CDB2C0EAB08D4157D6
                                                  Function 03099830 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03099850
                                                  • strtok.MSVCRT ref: 0309986E
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309988B
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 030998A8
                                                  • strtok.MSVCRT ref: 030998B5
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 030998D1
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309999C
                                                  Strings
                                                  • [UDP]: Starting flood on "%s:%d" for %d second(s), xrefs: 0309993A
                                                  • [UDP]: Finished flood on "%s:%d", xrefs: 03099970
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                  • String ID: [UDP]: Finished flood on "%s:%d"$[UDP]: Starting flood on "%s:%d" for %d second(s)
                                                  • API String ID: 216847750-2644890838
                                                  • Opcode ID: 0c6d3c3faa086be9f8a7e13f65b12379c67c56bcf19ad2e95971cc2f22efce13
                                                  • Instruction ID: b9fd8e1f3a61f8a4de314408662f365cc6a82791961a1ccebdf3b56e6ddc44fa
                                                  • Opcode Fuzzy Hash: 0c6d3c3faa086be9f8a7e13f65b12379c67c56bcf19ad2e95971cc2f22efce13
                                                  • Instruction Fuzzy Hash: B7314BFA6037087FFB10F6E9BC45FAB33ACEB85605F04016DFE09AA145E67558009BA5
                                                  Function 030996B0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 123memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030996D0
                                                  • strtok.MSVCRT ref: 030996EE
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309970B
                                                  • lstrcpynA.KERNEL32(00000000,00000000,00000400), ref: 03099728
                                                  • strtok.MSVCRT ref: 03099735
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 03099751
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309981C
                                                  Strings
                                                  • [SYN]: Finished flood on "%s:%d", xrefs: 030997F0
                                                  • [SYN]: Starting flood on "%s:%d" for %d second(s), xrefs: 030997BA
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$strtok$lstrcpynmemset
                                                  • String ID: [SYN]: Finished flood on "%s:%d"$[SYN]: Starting flood on "%s:%d" for %d second(s)
                                                  • API String ID: 216847750-3475151101
                                                  • Opcode ID: 23a56b8897f496ea1b5e2ab7631e5d0d655c4b751309ecc356f0cec5a71afa2b
                                                  • Instruction ID: a8abab9b4308adfbfd626607040d0e753ffb67079dae4851d550d7e7c96ab846
                                                  • Opcode Fuzzy Hash: 23a56b8897f496ea1b5e2ab7631e5d0d655c4b751309ecc356f0cec5a71afa2b
                                                  • Instruction Fuzzy Hash: BB313BB6A037087FFB20F6A4BC45FAB73ACEB85645F04006DFE05AA145D674580097A4
                                                  Function 0309A880 Relevance: 22.6, APIs: 2, Strings: 13, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309A89E
                                                    • Part of subcall function 03097790: memset.MSVCRT ref: 030977AE
                                                    • Part of subcall function 03097790: memset.MSVCRT ref: 030977C8
                                                    • Part of subcall function 03097790: lstrcpyA.KERNEL32(00000000,off), ref: 030977F0
                                                    • Part of subcall function 03097790: _snprintf.MSVCRT ref: 0309780D
                                                    • Part of subcall function 03097790: lstrlenA.KERNEL32(00000000), ref: 03097822
                                                    • Part of subcall function 03097790: lstrlenA.KERNEL32(00000000), ref: 03097858
                                                  • _snprintf.MSVCRT ref: 0309A936
                                                    • Part of subcall function 03097500: lstrlenA.KERNEL32(?), ref: 0309752B
                                                    • Part of subcall function 03097500: _snprintf.MSVCRT ref: 03097547
                                                    • Part of subcall function 03097500: _vsnprintf.MSVCRT ref: 03097569
                                                    • Part of subcall function 03097500: lstrcmpA.KERNEL32(?,bdns), ref: 0309758B
                                                    • Part of subcall function 03097500: StrStrIA.SHLWAPI(?,00000000), ref: 0309759F
                                                    • Part of subcall function 03097500: lstrlenA.KERNEL32(?), ref: 030975B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintfmemset$_vsnprintflstrcmplstrcpy
                                                  • String ID: bdns$ffgrab$ftpgrab$http$httpi$iegrab$int$msg$msn$msnu$pdef$popgrab$usbi
                                                  • API String ID: 3955240783-2907616027
                                                  • Opcode ID: 3c09a0736c56faed0915f4e627ebecd9e3b22796f91c3371a43a777f42a2314d
                                                  • Instruction ID: f286222b39a6259896be235b10697f3f3ecb8e4b62c6ee80c3822b539ac1cf21
                                                  • Opcode Fuzzy Hash: 3c09a0736c56faed0915f4e627ebecd9e3b22796f91c3371a43a777f42a2314d
                                                  • Instruction Fuzzy Hash: 6D11097ABF3B067EFE64F6E87C83FDFA1991B80F01F00046576287D0C2A9E12540916A
                                                  Function 0309EE40 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 142stringcomCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(030A3634,00000000,00000001,030A3614,?), ref: 0309EE5B
                                                  • memset.MSVCRT ref: 0309EE81
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0309EE9A
                                                  • lstrcatA.KERNEL32(00000000,030A2C78), ref: 0309EEAE
                                                  • lstrcatA.KERNEL32(00000000,?), ref: 0309EEBB
                                                  • memset.MSVCRT ref: 0309EED5
                                                  • SHGetFileInfoA.SHELL32(?,00000000,00000000,00000160,00001000), ref: 0309EEF4
                                                  • memset.MSVCRT ref: 0309EF68
                                                  • lstrcpyA.KERNEL32(00000000,?), ref: 0309EF7B
                                                  • lstrcatA.KERNEL32(00000000,030A2F5C), ref: 0309EF89
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000104), ref: 0309EFA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcatmemset$lstrcpy$ByteCharCreateFileInfoInstanceMultiWide
                                                  • String ID: shell32.dll
                                                  • API String ID: 3196525290-3366042328
                                                  • Opcode ID: 202a3659d479f2a137185ab5a195c3424a7103bc7c84d5719e1d2047dd70c21d
                                                  • Instruction ID: 0efba75e586f447411a30bcf7e6357fadf374b968ab0c85802f81a1cf912d3c8
                                                  • Opcode Fuzzy Hash: 202a3659d479f2a137185ab5a195c3424a7103bc7c84d5719e1d2047dd70c21d
                                                  • Instruction Fuzzy Hash: 81513175A00608AFDB54DB98DC85FDAB3B9AFCC700F104598F618EB290D7B1AE45CB64
                                                  Function 03096F70 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 125stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03096F91
                                                  • lstrcpyA.KERNEL32(00000000,HKCU\), ref: 03096FFE
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000400), ref: 03097017
                                                  • _wcsnicmp.MSVCRT ref: 03097061
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_wcsnicmplstrcpymemset
                                                  • String ID: %S%s%s$%s.%s%s$C:\Windows\SysWOW64\calc.exe$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                  • API String ID: 2911520168-3865444693
                                                  • Opcode ID: dd91c8c3ca9e77e512de0ad1425f8f1aa325b7aaa01ce23296c2b2f038a0eb85
                                                  • Instruction ID: 39a87f162d73a8c26e43544decf7018fc854c849b5a0b117a6f06c677eef10c5
                                                  • Opcode Fuzzy Hash: dd91c8c3ca9e77e512de0ad1425f8f1aa325b7aaa01ce23296c2b2f038a0eb85
                                                  • Instruction Fuzzy Hash: 674192B6A52318BFDF10DED8AC42FEE77FCBB88610F04425AF905E6141E670955087A5
                                                  Function 030973E0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 97stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _vsnprintflstrlenmemset$_memicmp_snprintf
                                                  • String ID: %s.%s$%s_$blk$block
                                                  • API String ID: 3657324510-3589362310
                                                  • Opcode ID: b3d25153825c0309ea0b8720ab92a21c7bcb537ed503bc9f639f41d5de53895e
                                                  • Instruction ID: e5eae86a328d45633c03514fb44270e3eff4fbaff51b34cd3648d6ea6267a7f7
                                                  • Opcode Fuzzy Hash: b3d25153825c0309ea0b8720ab92a21c7bcb537ed503bc9f639f41d5de53895e
                                                  • Instruction Fuzzy Hash: 3621FBB7A4131D7FEB10EA9CEC81FFB73ACEB84714F4441A9BA1896141E6709A0586A0
                                                  Function 03099580 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 89stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: memset$lstrcpy$CountTicksprintfstrtok
                                                  • String ID: %s / ?%d HTTP/1.1Host: %sUser-Agent: %sKeep-Alive: 300Connection: keep-aliveContent-Length: 42$GET$Mozilla/4.0$POST
                                                  • API String ID: 3318893083-109246470
                                                  • Opcode ID: b0c611f49c6f7b8525f8677b2d941d93aff4f3d8bde45d176b63f59bbe47e9dc
                                                  • Instruction ID: 49447874470c9ef24d61180b553b0ab24850f934bc2029e6660c2826ab2f56c2
                                                  • Opcode Fuzzy Hash: b0c611f49c6f7b8525f8677b2d941d93aff4f3d8bde45d176b63f59bbe47e9dc
                                                  • Instruction Fuzzy Hash: 3F210CBA94671C6EEB14E6ECDC45FDE736C9FD8700F0005D5F309A6041D6B0A6C48A61
                                                  Function 03096940 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 72stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 030919F0: wcsrchr.MSVCRT ref: 030919F9
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                  • strstr.MSVCRT ref: 030969A8
                                                  • lstrcmpA.KERNEL32(030A6D88,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,?,?,?,?,?,?), ref: 030969BE
                                                  • SetFileAttributesA.KERNEL32(030A6E90,00000080,?,?,?,?,?,?), ref: 030969D2
                                                  • DeleteFileA.KERNEL32(030A6E90,?,?,?,?,?,?), ref: 030969DD
                                                  • MoveFileExA.KERNEL32(030A6D88,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 030969EC
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 030969B4
                                                  • C:\Windows\SysWOW64\calc.exe, xrefs: 030969FC, 03096A1A
                                                  • .exe, xrefs: 0309699C
                                                  • pdef, xrefs: 03096986
                                                  • %s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!, xrefs: 03096A06
                                                  • %s.Blocked "%S" from creating "%S", xrefs: 03096A24
                                                  • autorun.inf, xrefs: 03096970
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Filememset$CriticalSection_snprintfsprintf$AttributesCreateDeleteEnterLeaveMove_vsnprintflstrcmpstrstrwcsrchr
                                                  • String ID: %s.Blocked "%S" from creating "%S"$%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!$.exe$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$autorun.inf$pdef
                                                  • API String ID: 2285763329-1097682185
                                                  • Opcode ID: e46ef5020535b52a1434cfecd3824725a745d250e507c4d868d4fe88f9742a8c
                                                  • Instruction ID: 595a5ab46ef3ce2abbb178396d2a4e1c4ab4d02fb0be0ef05a14d643040cc3ad
                                                  • Opcode Fuzzy Hash: e46ef5020535b52a1434cfecd3824725a745d250e507c4d868d4fe88f9742a8c
                                                  • Instruction Fuzzy Hash: 6911EB3EBC3B183AEE10E5DD3C46F8F72A94FA0966F0C4025F924FD20BD99394019565
                                                  Function 03098270 Relevance: 19.8, APIs: 13, Instructions: 305COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 03098292
                                                  • GetTickCount.KERNEL32 ref: 030982A8
                                                    • Part of subcall function 030981C0: WSAStartup.WS2_32(00000202,?), ref: 030981E3
                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 03098314
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Startupselect
                                                  • String ID:
                                                  • API String ID: 3882035529-0
                                                  • Opcode ID: 861539b71401ad81547f091917b9bb9fa9f313afd7de0da0ac1eb34362a92e8a
                                                  • Instruction ID: 1ba3b3b8a9192cfd1db88e993bb8f74f58e9a38cedefae665b07194440e407d4
                                                  • Opcode Fuzzy Hash: 861539b71401ad81547f091917b9bb9fa9f313afd7de0da0ac1eb34362a92e8a
                                                  • Instruction Fuzzy Hash: C8A1E8B5901704ABEB34DF68D880AEBB3F8EF85310F00855EE59DCB340D774A9859BA1
                                                  Function 0309EFE0 Relevance: 19.6, APIs: 13, Instructions: 106stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcmp$AttributesFile_snprintfmemsetstrrchr$ExtensionFindPath
                                                  • String ID:
                                                  • API String ID: 1691573101-0
                                                  • Opcode ID: 0f267144971cc31345431183dbe198949fda1dfa868bb2dab8f3f222ccd1ffde
                                                  • Instruction ID: dc2ed3ab2b9d2a7224a2ad8cf251d19663adf789ec3eb1f32a47f2578b70e7d0
                                                  • Opcode Fuzzy Hash: 0f267144971cc31345431183dbe198949fda1dfa868bb2dab8f3f222ccd1ffde
                                                  • Instruction Fuzzy Hash: 7931B87664771A6AEB20F69CBC01FEF729CAF84742F080475FA08E5085DBB499419AB1
                                                  Function 03097100 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _wcsnicmplstrcpymemset
                                                  • String ID: %S%S%S$%s.%S%S$C:\Windows\SysWOW64\calc.exe$HKCU\$HKLM\$Software\Microsoft\Windows\CurrentVersion\Run$brk$rreg
                                                  • API String ID: 1531173107-1599459415
                                                  • Opcode ID: faf7c660cef9bf02aa507695999a05c3717fedcc5efb271841b4aa189e831dcf
                                                  • Instruction ID: ec3c3a72901c115aeedadbedd66784b141524e1eb0f5f5f42ad4cbbba41d8f00
                                                  • Opcode Fuzzy Hash: faf7c660cef9bf02aa507695999a05c3717fedcc5efb271841b4aa189e831dcf
                                                  • Instruction Fuzzy Hash: 0331F67BB633147FEF14DE88AC46EEF33ECEB98A51F004146FD15AA102E570A95087A5
                                                  Function 0309E880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309E8A0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0309E8AD
                                                  • _snprintf.MSVCRT ref: 0309E8D0
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0309E8FF
                                                  • ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0309E913
                                                  • GetLastError.KERNEL32 ref: 0309E91D
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D7A0,00000000,00000000,00000000), ref: 0309E941
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309E94B
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 0309E96E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                  • String ID: 30e4*ga1$\\.\pipe\%08x_ipc
                                                  • API String ID: 4065143564-3576121390
                                                  • Opcode ID: c43d4aafcb6c8c4765ad98dbea9406fd2d22d52468d129a958459963cf04fb90
                                                  • Instruction ID: 3dfb3d06d1ddf27e9bade41e14dd142297f4f0c967946dbd0850ad67d8bd6b2e
                                                  • Opcode Fuzzy Hash: c43d4aafcb6c8c4765ad98dbea9406fd2d22d52468d129a958459963cf04fb90
                                                  • Instruction Fuzzy Hash: 8A2135717C27157EF730E268AC46FAE765CAB40F61F244260F754FD0C0EAE0690186A8
                                                  Function 03099080 Relevance: 18.1, APIs: 2, Strings: 10, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030990A0
                                                    • Part of subcall function 0309A0F0: wcsrchr.MSVCRT ref: 0309A0FA
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 03099101
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememsetwcsrchr
                                                  • String ID: %s.Blocked possible browser exploit pack call on URL '%s'$C:\Windows\SysWOW64\calc.exe$com$exe$firefox.exe$http$iexplore.exe$pdef$pif$scr
                                                  • API String ID: 519477765-2150303736
                                                  • Opcode ID: 91bf9de38deeece1578e1f8b156acc3f91d38eee950119c67c3a53d97268ff43
                                                  • Instruction ID: 9c7969ee213dba9a63d687f388c4d5fc35e297fe955de28249e0908bafb778a3
                                                  • Opcode Fuzzy Hash: 91bf9de38deeece1578e1f8b156acc3f91d38eee950119c67c3a53d97268ff43
                                                  • Instruction Fuzzy Hash: 1C3116B9A473046FFF60DA98AC09FEB37ECAB44250F08419AFC249A142F721D950D7A1
                                                  Function 0309FB60 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 106windowregistryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegisterClassExA.USER32(?), ref: 0309FC05
                                                  • CreateWindowExA.USER32(00000000,gdkWindowToplevelClass,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0309FC20
                                                  • RegisterDeviceNotificationA.USER32(00000000,00000020,00000000), ref: 0309FC30
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0309FC48
                                                  • TranslateMessage.USER32(?), ref: 0309FC61
                                                  • DispatchMessageA.USER32(?), ref: 0309FC67
                                                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0309FC74
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Message$Register$ClassCreateDeviceDispatchNotificationTranslateWindow
                                                  • String ID: $0$gdkWindowToplevelClass
                                                  • API String ID: 2947200908-2026830438
                                                  • Opcode ID: e9e84175fd35e8cd15b756f92307ec79f6c5b1ef73a889ad1565f596b8040fca
                                                  • Instruction ID: 5e28166cec76362284b25ca5e677d738f63c5fd2b4cf65fbf92c2fe245f373cd
                                                  • Opcode Fuzzy Hash: e9e84175fd35e8cd15b756f92307ec79f6c5b1ef73a889ad1565f596b8040fca
                                                  • Instruction Fuzzy Hash: EA3148B1C01749ABDB10EFE9D9849DEBFB8AF08210F14826AE514E7285D7348905CF60
                                                  Function 03091000 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 59stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 0309100D
                                                  • lstrcmpA.KERNEL32(?,C:\Windows\SysWOW64\calc.exe), ref: 03091054
                                                  • MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 03091062
                                                  • lstrcpyA.KERNEL32(030A6D88,?), ref: 0309108B
                                                  • lstrcpyA.KERNEL32(030A6E90,?), ref: 03091093
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcmplstrcpy$FileMove_snprintflstrlenmemset
                                                  • String ID: %s.%s$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef$ruskill
                                                  • API String ID: 4105673886-3738607250
                                                  • Opcode ID: 1c1b9ecf1a4693cdd6bb5a35dc7bc3c4dc337cc75683cc2eaae88b29d3a66000
                                                  • Instruction ID: 2757bf3e8526de31417dda004ac2d06ab9189a1e0d8564a55fac85d0c1054e49
                                                  • Opcode Fuzzy Hash: 1c1b9ecf1a4693cdd6bb5a35dc7bc3c4dc337cc75683cc2eaae88b29d3a66000
                                                  • Instruction Fuzzy Hash: 0601F536343B157BEB24EAAEBC48EDF7BDCDB98560B090022F628D6006D6B6D4009275
                                                  Function 03093C90 Relevance: 16.7, APIs: 11, Instructions: 227filepipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03093DA4
                                                  • ReadFile.KERNEL32(?,-030A7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 03093DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03093E3E
                                                  • ReadFile.KERNEL32(?,030A7960,00000800,00000000,?), ref: 03093ED7
                                                  • GetLastError.KERNEL32 ref: 03093EE3
                                                  • GetLastError.KERNEL32 ref: 03093EEA
                                                  • GetLastError.KERNEL32 ref: 03093EF3
                                                  • DisconnectNamedPipe.KERNEL32(?), ref: 03093F68
                                                  • ConnectNamedPipe.KERNEL32(?), ref: 03093F7E
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileNamedPipeRead$ConnectDisconnectMultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 4113577031-0
                                                  • Opcode ID: e0e87117aac435ee5c75f2fd816bacf3688d776757cfc61984fd3a5097740983
                                                  • Instruction ID: 5953a273838b630e77cc769bc560cd6159e2c85f0f75482f73d815f100f11a71
                                                  • Opcode Fuzzy Hash: e0e87117aac435ee5c75f2fd816bacf3688d776757cfc61984fd3a5097740983
                                                  • Instruction Fuzzy Hash: 3B91D3B9602619AFEB14DF5CE884FA6B7A8FB48704F04429AF80587384C775E941CFA0
                                                  Function 0309B160 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 69stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(03096E9C,00000000,00000000,00000000,?,?,03096E9C), ref: 0309B178
                                                  • HeapAlloc.KERNEL32(03490000,00000008,-00000002,?,?,03096E9C), ref: 0309B186
                                                  • lstrlenA.KERNEL32(03096E9C,?,?,03096E9C), ref: 0309B18F
                                                  • strstr.MSVCRT ref: 0309B19F
                                                  • strstr.MSVCRT ref: 0309B1B6
                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,03096E9C), ref: 0309B1C3
                                                  • HeapAlloc.KERNEL32(03490000,00000008,-00000002,?,?,?,?,?,03096E9C), ref: 0309B1D2
                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,03096E9C), ref: 0309B1DC
                                                  • lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,03096E9C), ref: 0309B1E5
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000,?,?,?,03096E9C), ref: 0309B1F8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$Heap$Allocstrstr$Freelstrcpyn
                                                  • String ID:
                                                  • API String ID: 1314289781-2344752452
                                                  • Opcode ID: 123bd964d530acba6631181945de012c36b632234df80113ec743874c92c89d0
                                                  • Instruction ID: d6a072ecc8d97574ba4530bcce98f280539fdcd694767df24c8a265f5e90f0d5
                                                  • Opcode Fuzzy Hash: 123bd964d530acba6631181945de012c36b632234df80113ec743874c92c89d0
                                                  • Instruction Fuzzy Hash: B211A376A03B147BE710FBADAC45FAB77ACDF45651F048015F905E3244DA78AD008BA0
                                                  Function 0309AC00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82memorynetworkstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000000,?,00000000,?), ref: 0309AC1A
                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0309AC3E
                                                  • GetLastError.KERNEL32 ref: 0309AC44
                                                  • HeapReAlloc.KERNEL32(03490000,00000008,00000000,?), ref: 0309AC5E
                                                  • HttpQueryInfoW.WININET(?,8000002D,00000000,?,?), ref: 0309AC79
                                                  • lstrcmpW.KERNEL32(POST,00000000), ref: 0309AC85
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309AC99
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309ACB2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFreeHttpInfoQuery$ErrorLastlstrcmp
                                                  • String ID: POST
                                                  • API String ID: 770645459-1814004025
                                                  • Opcode ID: ba77aeee4940dbf5b9700fffa5e0498015cc0f396e92995d41c46b4e7e6f7e2f
                                                  • Instruction ID: f9efb5a55ddbd5fe1d901fd9c36d472dfaf90fec2e07ffcf466545c93f15bc3f
                                                  • Opcode Fuzzy Hash: ba77aeee4940dbf5b9700fffa5e0498015cc0f396e92995d41c46b4e7e6f7e2f
                                                  • Instruction Fuzzy Hash: E8219076703A14BBEB24EAADAC88EAF7BBCEB85750F144156F904E6244D6349900D7A0
                                                  Function 03099430 Relevance: 15.1, APIs: 10, Instructions: 109networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03099300: inet_addr.WS2_32(0309226E), ref: 03099308
                                                    • Part of subcall function 03099300: gethostbyname.WS2_32(0309226E), ref: 03099313
                                                  • GetTickCount.KERNEL32 ref: 03099467
                                                  • htons.WS2_32(?), ref: 03099490
                                                  • GetTickCount.KERNEL32 ref: 030994BD
                                                  • GetTickCount.KERNEL32 ref: 030994C1
                                                  • socket.WS2_32(00000002,00000002,00000011), ref: 030994F6
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 03099511
                                                  • sendto.WS2_32(?,?,00001964,00000000,00000002,00000010), ref: 0309953C
                                                  • Sleep.KERNEL32(00000064,00000002,00000002,00000011), ref: 03099549
                                                  • closesocket.WS2_32(?), ref: 03099559
                                                  • GetTickCount.KERNEL32 ref: 03099564
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleepclosesocketgethostbynamehtonsinet_addrioctlsocketsendtosocket
                                                  • String ID:
                                                  • API String ID: 2400900511-0
                                                  • Opcode ID: 074e5c844514cb536925473078211ea0f5dfa63cd49d34ed8a5793c155c1a132
                                                  • Instruction ID: de352882a30b9e3c156772e9d111e58c4b4f8e93aad9c6e2a03cf2401c84852f
                                                  • Opcode Fuzzy Hash: 074e5c844514cb536925473078211ea0f5dfa63cd49d34ed8a5793c155c1a132
                                                  • Instruction Fuzzy Hash: A7313D7A902728ABEB10FBFC9845BEFB3999FC8304F114126F915E7180D6749D01DBA2
                                                  Function 0309ACD0 Relevance: 15.1, APIs: 10, Instructions: 107memorynetworkstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309ACF5
                                                  • HeapAlloc.KERNEL32(03490000,00000008,00000000,?,00000000,?), ref: 0309AD0A
                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0309AD2B
                                                  • GetLastError.KERNEL32 ref: 0309AD31
                                                  • HeapReAlloc.KERNEL32(03490000,00000008,00000000,?), ref: 0309AD4F
                                                  • InternetQueryOptionW.WININET(?,00000022,00000000,?), ref: 0309AD63
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000104,00000000,00000000), ref: 0309AD80
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0309AD93
                                                  • lstrcpyA.KERNEL32(?,00000000), ref: 0309ADB3
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000), ref: 0309ADE6
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocInternetOptionQuery$??2@ByteCharErrorFreeLastMultiWidelstrcpymemset
                                                  • String ID:
                                                  • API String ID: 3155763378-0
                                                  • Opcode ID: 4178561c1646a4c1b5ad0ff2776f3fabfebc0e6263f4960f9e15c4a81bc9f79e
                                                  • Instruction ID: 6b27506af04fed452946c7b2304a511462f3ca47cfb7428575e6f63e0346ead1
                                                  • Opcode Fuzzy Hash: 4178561c1646a4c1b5ad0ff2776f3fabfebc0e6263f4960f9e15c4a81bc9f79e
                                                  • Instruction Fuzzy Hash: C531C078602704BBEB20EF58DC84FABBBB8EF89751F104145F945AB280D774A940DBA0
                                                  Function 03099330 Relevance: 15.1, APIs: 10, Instructions: 81networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03099300: inet_addr.WS2_32(0309226E), ref: 03099308
                                                    • Part of subcall function 03099300: gethostbyname.WS2_32(0309226E), ref: 03099313
                                                  • htons.WS2_32(?), ref: 0309935D
                                                  • GetTickCount.KERNEL32 ref: 0309936F
                                                  • GetTickCount.KERNEL32 ref: 03099373
                                                  • socket.WS2_32(00000002,00000001,00000000), ref: 030993A6
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 030993C1
                                                  • connect.WS2_32(?,?,00000010), ref: 030993DE
                                                  • Sleep.KERNEL32(00000064,?,?,00000010,00000002,00000001,00000000), ref: 030993EB
                                                  • closesocket.WS2_32(?), ref: 030993F8
                                                  • Sleep.KERNEL32(0000004B,?), ref: 03099405
                                                  • GetTickCount.KERNEL32 ref: 03099407
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CountTick$Sleep$closesocketconnectgethostbynamehtonsinet_addrioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 1090714710-0
                                                  • Opcode ID: 158cdb05d37034e15fd7000d796a26de70aaf052e0548fb66e9e2d88fa9e2338
                                                  • Instruction ID: 8b0299a7051f6ec37ca1dd2cd071d68fced3fe81cc82d05d153c72c20e3eea06
                                                  • Opcode Fuzzy Hash: 158cdb05d37034e15fd7000d796a26de70aaf052e0548fb66e9e2d88fa9e2338
                                                  • Instruction Fuzzy Hash: D921F776901628ABDB20FFF8AD45B8EF3A99B88200F01421AE908A71C0D6709D41CB95
                                                  Function 030989B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 144COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030989C5
                                                  • AcquireCredentialsHandleW.SECUR32(00000000,Microsoft Unified Security Protocol Provider,00000002,00000000,?,00000000,00000000,?,00000000), ref: 03098A32
                                                  • QueryContextAttributesW.SECUR32(?,00000004,00000001), ref: 03098AC3
                                                  • InitializeSecurityContextW.SECUR32(?,00000000,?,0008C11C,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 03098A79
                                                    • Part of subcall function 03098760: FreeContextBuffer.SECUR32(?), ref: 03098774
                                                    • Part of subcall function 03098790: InitializeSecurityContextW.SECUR32(?,?,?,0008C11C,00000000,00000000,?,00000000,00000000,?,?,00000000), ref: 030988AE
                                                  • DeleteSecurityContext.SECUR32(?), ref: 03098B17
                                                  • FreeCredentialsHandle.SECUR32(?), ref: 03098B1E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Context$Security$CredentialsFreeHandleInitialize$AcquireAttributesBufferDeleteQuerymemset
                                                  • String ID: $Microsoft Unified Security Protocol Provider
                                                  • API String ID: 3657786480-3891800672
                                                  • Opcode ID: edef138dad07eb5b62d78fcf289a2a74e4e421320b8e2cf10ebad01e440a6904
                                                  • Instruction ID: edf6255dcfed4ee7040770112e86a0071656333351069016d271775fa80b251f
                                                  • Opcode Fuzzy Hash: edef138dad07eb5b62d78fcf289a2a74e4e421320b8e2cf10ebad01e440a6904
                                                  • Instruction Fuzzy Hash: BB5107B5D01608AFEB20DF9AD8849EFFBFCFF85700F14851AE515E6250E374A6058BA0
                                                  Function 03091D10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 03091D31
                                                  • memset.MSVCRT ref: 03091D4B
                                                  • lstrcmpA.KERNEL32(00000000,block), ref: 03091D9B
                                                  • strstr.MSVCRT ref: 03091DAB
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000400), ref: 03091DCA
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000200,00000000,00000000), ref: 03091E0C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWidememset$lstrcmpstrstr
                                                  • String ID: bdns$block
                                                  • API String ID: 1883446694-4143068083
                                                  • Opcode ID: 5c6faa8c77e39688dff9784386a34de64da672d0eaa33faf1540655e723bbfe3
                                                  • Instruction ID: e91b95cc97774c3bd866c29e1004837d73a6c68575f40caf6e7dab8647f39dec
                                                  • Opcode Fuzzy Hash: 5c6faa8c77e39688dff9784386a34de64da672d0eaa33faf1540655e723bbfe3
                                                  • Instruction Fuzzy Hash: 8D3148767423097BFB24DE98EC05FEB73ACDF84711F044156FA14AA2C1EAB09A10D6A1
                                                  Function 0309A690 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 79processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309A6AF
                                                  • memset.MSVCRT ref: 0309A6CA
                                                  • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000000), ref: 0309A6DF
                                                  • PathAppendW.SHLWAPI(?,030A1728), ref: 0309A6F9
                                                  • _snwprintf.MSVCRT ref: 0309A71B
                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000010,00000000,00000000,00000044,?), ref: 0309A77F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Pathmemset$AppendCreateFolderProcessSpecial_snwprintf
                                                  • String ID: "%s" %S$D
                                                  • API String ID: 1165436438-3572644092
                                                  • Opcode ID: da3cea8848fd02b7062c2c76a79e2f9da9d8732df685c2622c72a14fce26a10b
                                                  • Instruction ID: 1b8fe7d90d0874533159941bad20e596c3019b5ac30aa2c4398942c2b4a97ec5
                                                  • Opcode Fuzzy Hash: da3cea8848fd02b7062c2c76a79e2f9da9d8732df685c2622c72a14fce26a10b
                                                  • Instruction Fuzzy Hash: 59210075A417087AFB10DBE0DC46FEF7378AF84B01F144185F6096E0C4E7B59A448B99
                                                  Function 03099C60 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 81stringmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strtok.MSVCRT ref: 03099C7C
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 03099C9A
                                                  • lstrcpyA.KERNEL32(030DB648,030A1335), ref: 03099CB3
                                                  • lstrcpynA.KERNEL32(030DB648,00000000,00000200), ref: 03099CC4
                                                  • strtok.MSVCRT ref: 03099CDB
                                                  • atoi.MSVCRT ref: 03099CE8
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 03099D73
                                                  Strings
                                                  • [Slowloris]: Finished flood on "%s", xrefs: 03099D45
                                                  • [Slowloris]: Starting flood on "%s" for %d minute(s), xrefs: 03099CF9
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: FreeHeapstrtok$atoilstrcpylstrcpyn
                                                  • String ID: [Slowloris]: Finished flood on "%s"$[Slowloris]: Starting flood on "%s" for %d minute(s)
                                                  • API String ID: 1726920797-1250431664
                                                  • Opcode ID: 5d10188a2462887682c0ff623a3cd7b3f38c82cd69b23ac10bf488336247a31d
                                                  • Instruction ID: 5ffca36906a7f59d9b4acee965550ef8fc750b756c6579b9c7d7de2707603417
                                                  • Opcode Fuzzy Hash: 5d10188a2462887682c0ff623a3cd7b3f38c82cd69b23ac10bf488336247a31d
                                                  • Instruction Fuzzy Hash: D021D4B6643F046FEB10FAE8BC4AF6F36DCE785752F040029F9189E14AD7B944008BA4
                                                  Function 0309FC90 Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 57stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309FCB0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 0309FCBD
                                                  • _snprintf.MSVCRT ref: 0309FCE0
                                                  • lstrcpyW.KERNEL32(030DB9A0,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 0309FCF2
                                                  • lstrcpyA.KERNEL32(030DBDB0,030A2FC0), ref: 0309FD08
                                                  • lstrcpyA.KERNEL32(030DBEB4,?), ref: 0309FD16
                                                    • Part of subcall function 0309F9E0: memset.MSVCRT ref: 0309F9FF
                                                    • Part of subcall function 0309F9E0: GetLogicalDriveStringsA.KERNEL32(000001FF,00000000), ref: 0309FA22
                                                    • Part of subcall function 0309F9E0: lstrcatA.KERNEL32(00000000,030A3040), ref: 0309FA5C
                                                    • Part of subcall function 0309FB60: RegisterClassExA.USER32(?), ref: 0309FC05
                                                    • Part of subcall function 0309FB60: CreateWindowExA.USER32(00000000,gdkWindowToplevelClass,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0309FC20
                                                    • Part of subcall function 0309FB60: RegisterDeviceNotificationA.USER32(00000000,00000020,00000000), ref: 0309FC30
                                                    • Part of subcall function 0309FB60: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0309FC48
                                                    • Part of subcall function 0309FB60: TranslateMessage.USER32(?), ref: 0309FC61
                                                    • Part of subcall function 0309FB60: DispatchMessageA.USER32(?), ref: 0309FC67
                                                    • Part of subcall function 0309FB60: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0309FC74
                                                  • Sleep.KERNEL32(00003A98), ref: 0309FD61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Message$lstrcpy$Registermemset$ClassCreateDeviceDispatchDriveLogicalNotificationSleepStringsTranslateWindow_snprintflstrcatlstrlen
                                                  • String ID: 30e4*ga1$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe
                                                  • API String ID: 496236647-3153100643
                                                  • Opcode ID: 5cd55452239586d94631d857c95c02274dd2a54fb2961a97dec8132eb66e7691
                                                  • Instruction ID: d5abf8c1dd652731f343b67fa75ef28c076800ac788390f47896616a5eaa63cd
                                                  • Opcode Fuzzy Hash: 5cd55452239586d94631d857c95c02274dd2a54fb2961a97dec8132eb66e7691
                                                  • Instruction Fuzzy Hash: BA11E7B5A43718AFD700FFA8BC81BED76ECEB54701F41006AEA509A14AD6F819908F55
                                                  Function 030A0BB0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _stricmp.MSVCRT(?,GetAddrInfoW), ref: 030A0C14
                                                  • _stricmp.MSVCRT(?,send), ref: 030A0C26
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _stricmp
                                                  • String ID: GetAddrInfoW$dnsapi.dll$nspr4.dll$send$wininet.dll
                                                  • API String ID: 2884411883-3553644081
                                                  • Opcode ID: 5fee445bfc1edcf4b80089fb37329592002891f55cea1b40532d9123fb6cbb1e
                                                  • Instruction ID: 6209e2378e90c51baa39e4442c246dc0632c9f82314ee448ac764aeefbd55eda
                                                  • Opcode Fuzzy Hash: 5fee445bfc1edcf4b80089fb37329592002891f55cea1b40532d9123fb6cbb1e
                                                  • Instruction Fuzzy Hash: 9C11822BF83A3916EE60E3ED7D01BEEA3CC4B605A2F090172ED09DB201D556D55092E6
                                                  Function 0309C8C6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,?,http.set,?,msn.int,?,030A57F4,?,030A57F0,?,speed,?,rs0,?,stats), ref: 0309C8DD
                                                  • lstrlenA.KERNEL32(?,?,http.set,?,msn.int,?,030A57F4,?,030A57F0,?,speed,?,rs0,?,stats), ref: 0309C8E5
                                                  • lstrcatA.KERNEL32(00000000,030A2C78,?,?,http.set,?,msn.int,?,030A57F4,?,030A57F0,?,speed,?,rs0), ref: 0309C907
                                                  • lstrcatA.KERNEL32(00000000,?,?,?,http.set,?,msn.int,?,030A57F4,?,030A57F0,?,speed,?,rs0), ref: 0309C913
                                                  • lstrcmpA.KERNEL32(00000000,http.int,?,http.set,?,msn.int,?,030A57F4,?,030A57F0,?,speed,?,rs0,?,stats), ref: 0309C985
                                                  • atoi.MSVCRT ref: 0309C99C
                                                  • atoi.MSVCRT ref: 0309C9AF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: atoilstrcatlstrlen$lstrcmp
                                                  • String ID: [HTTP]: Updated HTTP spread message to "%s"$http$msg
                                                  • API String ID: 3861295430-3390247340
                                                  • Opcode ID: d07394a1f0462d0d93f6e097751333890bb8cad9427c3241537eef38364545f0
                                                  • Instruction ID: 7e718970eb808d06b352be4d8da7056aafeec6d263a191c4b3cda023f6a439c8
                                                  • Opcode Fuzzy Hash: d07394a1f0462d0d93f6e097751333890bb8cad9427c3241537eef38364545f0
                                                  • Instruction Fuzzy Hash: 66015275A1260C9FEF64DBA4DC80EDFB3B8AF84600F150896D54997002DB75BA86DF60
                                                  Function 0309DD20 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 36sleepthreadnetworkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 0309DD7B
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CleanupCountCriticalExitInitializeSectionSleepThreadTick
                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe
                                                  • API String ID: 544336047-1808587922
                                                  • Opcode ID: da38079e54130b91b6094a45dcdcc5313beba5070194cfd9a205b26b9853465f
                                                  • Instruction ID: 6bf3f5d4a69e51d91cd70269154fc84fe2e63c63f0333ca2df44458aaff6721a
                                                  • Opcode Fuzzy Hash: da38079e54130b91b6094a45dcdcc5313beba5070194cfd9a205b26b9853465f
                                                  • Instruction Fuzzy Hash: 26F09674587F14DBFE54F7B87E0859E71945B50168F180703E525C51D8EB2891007AD2
                                                  Function 03093DB8 Relevance: 12.1, APIs: 8, Instructions: 108fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,-030A7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 03093DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03093E3E
                                                  • ReadFile.KERNEL32(?,030A7960,00000800,00000000,?), ref: 03093ED7
                                                  • GetLastError.KERNEL32 ref: 03093EE3
                                                  • GetLastError.KERNEL32 ref: 03093EEA
                                                  • GetLastError.KERNEL32 ref: 03093EF3
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03093F0D
                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 03093F1D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 146293752-0
                                                  • Opcode ID: 215d8dbeb9b958e95e48a888c734d236e86b758ef0d37d21623fe09daab56e93
                                                  • Instruction ID: 512a73745c8af628e711a22dc463691e3cca69cf1e0855fd397499b110c934eb
                                                  • Opcode Fuzzy Hash: 215d8dbeb9b958e95e48a888c734d236e86b758ef0d37d21623fe09daab56e93
                                                  • Instruction Fuzzy Hash: E741D3B8602619AFEB04DF68D8C4FAAB7A8FF49704F448699E55587385C730E901CFA1
                                                  Function 03093DB6 Relevance: 12.1, APIs: 8, Instructions: 107fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNEL32(?,-030A7960,00000800,00000000,?,?,?,00000000,000000FF), ref: 03093DFF
                                                  • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 03093E3E
                                                  • ReadFile.KERNEL32(?,030A7960,00000800,00000000,?), ref: 03093ED7
                                                  • GetLastError.KERNEL32 ref: 03093EE3
                                                  • GetLastError.KERNEL32 ref: 03093EEA
                                                  • GetLastError.KERNEL32 ref: 03093EF3
                                                  • WaitForMultipleObjects.KERNEL32(?,?,00000000,000000FF), ref: 03093F0D
                                                  • GetLastError.KERNEL32(?,?,00000000,000000FF), ref: 03093F1D
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FileRead$MultipleObjectsOverlappedResultWait
                                                  • String ID:
                                                  • API String ID: 146293752-0
                                                  • Opcode ID: 9f7816e37cd40a6051f4b66711f185418e26bce4499f1281249d42ac729e8bd1
                                                  • Instruction ID: ebdb5bd0ae55c631a7b979c7329fb5184d02cde18ff1aef91dc5037b1c7c72c5
                                                  • Opcode Fuzzy Hash: 9f7816e37cd40a6051f4b66711f185418e26bce4499f1281249d42ac729e8bd1
                                                  • Instruction Fuzzy Hash: EF41E6B8602619AFEB04DF68D8C4FAAB7A8FF49704F448699E555C7385C730E901CFA0
                                                  Function 03097500 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 99stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintf_vsnprintflstrcmp
                                                  • String ID: %s_$bdns
                                                  • API String ID: 3897371274-741241040
                                                  • Opcode ID: 41e2f13489381d0c6ade464ebef4062cb5327f60cd46dbb907a6fa1edba69bd1
                                                  • Instruction ID: a76b80ccddcac8087facf3e0a3fb33f631e2a4d6425f21a363391a2d50fa72d6
                                                  • Opcode Fuzzy Hash: 41e2f13489381d0c6ade464ebef4062cb5327f60cd46dbb907a6fa1edba69bd1
                                                  • Instruction Fuzzy Hash: E221F8777026196BEF60DEA9BC84FEB779CEB44A10F08016AFD09D7101E670C900C6E0
                                                  Function 03098670 Relevance: 12.1, APIs: 8, Instructions: 70networkmemorythreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,0000103C), ref: 03098688
                                                  • htons.WS2_32(?), ref: 030986AE
                                                  • inet_ntoa.WS2_32(?), ref: 030986F7
                                                  • htons.WS2_32(?), ref: 03098704
                                                  • GetTickCount.KERNEL32 ref: 03098713
                                                  • CreateThread.KERNEL32(00000000,00000000,03098640,00000000,00000000,00000000), ref: 03098734
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309873B
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: htons$AllocCloseCountCreateHandleLocalThreadTickinet_ntoa
                                                  • String ID:
                                                  • API String ID: 30336511-0
                                                  • Opcode ID: 75f9c958f94ff997a9c55e4723373dc165389edfd5f62454d1bcf005212b8f7b
                                                  • Instruction ID: cfa436aaf49f42b75519fd09e6af552ebfd54b55286e4bc54d82f3b49aa36368
                                                  • Opcode Fuzzy Hash: 75f9c958f94ff997a9c55e4723373dc165389edfd5f62454d1bcf005212b8f7b
                                                  • Instruction Fuzzy Hash: 9521D878643B109AE710EBB5EC09BEBB6E8AF08750F04851AF95DCB394D7F49140DB54
                                                  Function 03097790 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 69stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlenmemset$_snprintflstrcpy
                                                  • String ID: off$state_%s
                                                  • API String ID: 1009457118-628336787
                                                  • Opcode ID: 29b27207c1d4dd0789ca98dab0dc4cb68dfbb190a0972bbb604a0e809b4c93d2
                                                  • Instruction ID: 92cc0ba7ed9cfd66369f9eeefbf1c89e264daee71e2e85d70f7a7852a18d6b51
                                                  • Opcode Fuzzy Hash: 29b27207c1d4dd0789ca98dab0dc4cb68dfbb190a0972bbb604a0e809b4c93d2
                                                  • Instruction Fuzzy Hash: 3811D6BA9433187BEB24E698DD45FEF736C9F94B00F0041D5F7486A181E6F45B848AA1
                                                  Function 03097F90 Relevance: 10.6, APIs: 7, Instructions: 131networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(00000000,00000000,?,00000000,?), ref: 03097FD4
                                                  • send.WS2_32(?,?,?,00000000), ref: 03097FFB
                                                  • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,?), ref: 03098004
                                                  • select.WS2_32(00000000,00000000,00000000,00000001,?), ref: 0309803D
                                                  • select.WS2_32(00000000,?,00000000,00000000,?), ref: 03098081
                                                  • recv.WS2_32(?,?,00001000,00000000), ref: 0309809A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: select$FreeLocalrecvsend
                                                  • String ID:
                                                  • API String ID: 1822081929-0
                                                  • Opcode ID: 76d830e5f0d7d2fac5acb03e2815f09c8bc05c385a44d9864a7a9ec91759ab35
                                                  • Instruction ID: eff247f06fd371165a736079baaf5d71834bbdcec6055acc7fff73db6fe6f6fe
                                                  • Opcode Fuzzy Hash: 76d830e5f0d7d2fac5acb03e2815f09c8bc05c385a44d9864a7a9ec91759ab35
                                                  • Instruction Fuzzy Hash: 174173755007149BE730DF99DC80BE6B3F8EB88710F00868EF5899B690D7F5A9C59B90
                                                  Function 03092A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • htons.WS2_32(?), ref: 03092A44
                                                    • Part of subcall function 03092460: GetProcessHeap.KERNEL32(?,030920DE,?), ref: 0309246C
                                                    • Part of subcall function 03092460: HeapAlloc.KERNEL32(03490000,00000008,030920DE,?,030920DE,?), ref: 0309247E
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 03092A8A
                                                  • WSAGetLastError.WS2_32(00000002,00000001,00000006), ref: 03092A96
                                                  • GetLastError.KERNEL32(00000002,00000001,00000006), ref: 03092A9B
                                                    • Part of subcall function 030924A0: GetProcessHeap.KERNEL32(00000000,?,03092131,00000000), ref: 030924B4
                                                    • Part of subcall function 030924A0: HeapFree.KERNEL32(03490000,00000000,03092131,00000000,?,03092131,00000000), ref: 030924C3
                                                  • inet_ntoa.WS2_32(00000002), ref: 03092AEE
                                                  • connect.WS2_32(00000000,?,00000010), ref: 03092AFC
                                                  • Sleep.KERNEL32(000005DC,00000000,?,00000010,00000001,00000006), ref: 03092B0B
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                  • String ID:
                                                  • API String ID: 268164981-0
                                                  • Opcode ID: c235ffc30b39b725088326a08c158ad518614e89fdb2466afde7bbe749ec9fe2
                                                  • Instruction ID: 97482c5198047aebaddb292f9a3459c147d10c10e9ef219215a1ab92471cf3dc
                                                  • Opcode Fuzzy Hash: c235ffc30b39b725088326a08c158ad518614e89fdb2466afde7bbe749ec9fe2
                                                  • Instruction Fuzzy Hash: 2B41D875E02608ABDF20DFA8D880AAFB3FDEF84320F144956E5199B240D7319941DB91
                                                  Function 03096E20 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 126memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03092460: GetProcessHeap.KERNEL32(?,030920DE,?), ref: 0309246C
                                                    • Part of subcall function 03092460: HeapAlloc.KERNEL32(03490000,00000008,030920DE,?,030920DE,?), ref: 0309247E
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 0309AFBD
                                                    • Part of subcall function 0309AFA0: HeapAlloc.KERNEL32(03490000,00000008,-00000002), ref: 0309AFCB
                                                    • Part of subcall function 0309AFA0: memset.MSVCRT ref: 0309AFE8
                                                    • Part of subcall function 0309AFA0: memset.MSVCRT ref: 0309B002
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(?), ref: 0309B013
                                                    • Part of subcall function 0309AFA0: sscanf.MSVCRT ref: 0309B02A
                                                    • Part of subcall function 0309AFA0: strtok.MSVCRT ref: 0309B041
                                                    • Part of subcall function 0309AFA0: _memicmp.MSVCRT ref: 0309B05B
                                                    • Part of subcall function 0309AFA0: strtok.MSVCRT ref: 0309B06E
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(00000000), ref: 0309B09B
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(00000000), ref: 0309B0AD
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(00000000), ref: 0309B0BB
                                                    • Part of subcall function 0309AFA0: lstrlenA.KERNEL32(00000000), ref: 0309B0C6
                                                    • Part of subcall function 0309AFA0: HeapAlloc.KERNEL32(03490000,00000000,?), ref: 0309B0D5
                                                    • Part of subcall function 0309AFA0: _memicmp.MSVCRT ref: 0309B0EB
                                                  • strstr.MSVCRT ref: 03096EBC
                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?), ref: 03096EC9
                                                  • lstrlenA.KERNEL32(?,?,?,?,?), ref: 03096EE7
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000,?,?), ref: 03096F1A
                                                  • HeapFree.KERNEL32(03490000,00000000,?,?,?), ref: 03096F2C
                                                  • HeapFree.KERNEL32(03490000,00000000,00000000,?,?), ref: 03096F3C
                                                    • Part of subcall function 0309B160: lstrlenA.KERNEL32(03096E9C,00000000,00000000,00000000,?,?,03096E9C), ref: 0309B178
                                                    • Part of subcall function 0309B160: HeapAlloc.KERNEL32(03490000,00000008,-00000002,?,?,03096E9C), ref: 0309B186
                                                    • Part of subcall function 0309B160: lstrlenA.KERNEL32(03096E9C,?,?,03096E9C), ref: 0309B18F
                                                    • Part of subcall function 0309B160: strstr.MSVCRT ref: 0309B19F
                                                    • Part of subcall function 0309B160: strstr.MSVCRT ref: 0309B1B6
                                                    • Part of subcall function 0309B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,03096E9C), ref: 0309B1C3
                                                    • Part of subcall function 0309B160: HeapAlloc.KERNEL32(03490000,00000008,-00000002,?,?,?,?,?,03096E9C), ref: 0309B1D2
                                                    • Part of subcall function 0309B160: lstrlenA.KERNEL32(-00000004,?,?,?,?,?,03096E9C), ref: 0309B1DC
                                                    • Part of subcall function 0309B160: lstrcpynA.KERNEL32(00000000,-00000004,00000001,?,?,?,?,?,03096E9C), ref: 0309B1E5
                                                    • Part of subcall function 0309B160: HeapFree.KERNEL32(03490000,00000000,00000000,?,?,?,03096E9C), ref: 0309B1F8
                                                    • Part of subcall function 030A01E0: memset.MSVCRT ref: 030A0202
                                                    • Part of subcall function 030A01E0: GetProcessHeap.KERNEL32(00000000,00000000,00000000), ref: 030A0213
                                                    • Part of subcall function 030A01E0: EnterCriticalSection.KERNEL32(030DB4E4), ref: 030A0223
                                                    • Part of subcall function 030A01E0: strstr.MSVCRT ref: 030A0243
                                                    • Part of subcall function 030A01E0: lstrlenA.KERNEL32(00000000), ref: 030A0254
                                                    • Part of subcall function 030A01E0: HeapAlloc.KERNEL32(00000000,00000008,00000001), ref: 030A025F
                                                    • Part of subcall function 030A01E0: lstrcpyA.KERNEL32(00000000,00000000), ref: 030A0272
                                                    • Part of subcall function 030A01E0: strstr.MSVCRT ref: 030A0281
                                                    • Part of subcall function 030A01E0: _snprintf.MSVCRT ref: 030A02C8
                                                    • Part of subcall function 030A01E0: strstr.MSVCRT ref: 030A02EF
                                                    • Part of subcall function 030A01E0: HeapFree.KERNEL32(?,00000000,00000000), ref: 030A03E4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heaplstrlen$Allocstrstr$Free$memset$Process_memicmpstrtok$CriticalEnterSection_snprintflstrcpylstrcpynsscanf
                                                  • String ID: POST
                                                  • API String ID: 836748388-1814004025
                                                  • Opcode ID: 723cfe93f1cbb2c74812dcb0654cbcf00ae607af0557096ef49ddfad24f11d61
                                                  • Instruction ID: 741d613666d48a397e8c08956e0809a6e8f2cf08d84112b837522171569f2502
                                                  • Opcode Fuzzy Hash: 723cfe93f1cbb2c74812dcb0654cbcf00ae607af0557096ef49ddfad24f11d61
                                                  • Instruction Fuzzy Hash: AF317975A03208BBEF10EFA9EC84EAB77ECDB84650F144066FD0997204D636E91097A1
                                                  Function 0309D110 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 98stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrcmplstrcpynlstrlenmemmovememsetstrchr
                                                  • String ID: 332
                                                  • API String ID: 3300951897-3855660651
                                                  • Opcode ID: 7da4dbeb7945784e590976f6faf1bdb5f733f2b9427b3cbb0b5bcdca12730ba0
                                                  • Instruction ID: a5d542be54f4f5e021a24583ae43c10b52d4cf800bfdc7d0ce1ad4038f916386
                                                  • Opcode Fuzzy Hash: 7da4dbeb7945784e590976f6faf1bdb5f733f2b9427b3cbb0b5bcdca12730ba0
                                                  • Instruction Fuzzy Hash: 5D31F67AA0131A7BEB10DA6CDCC8FA777ACEF84740F044165F80997145E631E905C7B0
                                                  Function 03097610 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 87stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: _snprintf_vsnprintflstrcmplstrlen
                                                  • String ID: %s_$bdns
                                                  • API String ID: 4220314296-741241040
                                                  • Opcode ID: ae28572bdfad6e5c76c074f4e8bca071f54a88ac71d35281193b0b8f083602b8
                                                  • Instruction ID: 40ec8b8321052b1fd629fce73605caf399ddc53fc25e124aad79e8168fcc7fcd
                                                  • Opcode Fuzzy Hash: ae28572bdfad6e5c76c074f4e8bca071f54a88ac71d35281193b0b8f083602b8
                                                  • Instruction Fuzzy Hash: 8721D8776026196BEB20DEADFC84FEB739CFB84A10F08055AED18D7105E630D90087E0
                                                  Function 03093B90 Relevance: 10.6, APIs: 7, Instructions: 82pipeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 03093BD8
                                                  • CreateNamedPipeA.KERNEL32(?,40000001,00000000,000000FF,00010000,00010000,00000000,00000000), ref: 03093C0F
                                                  • ConnectNamedPipe.KERNEL32(00000000,?), ref: 03093C25
                                                  • GetLastError.KERNEL32 ref: 03093C2F
                                                  • GetLastError.KERNEL32 ref: 03093C46
                                                  • SetEvent.KERNEL32(00000000), ref: 03093C56
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateErrorEventLastNamedPipe$Connect
                                                  • String ID:
                                                  • API String ID: 3507186782-0
                                                  • Opcode ID: 1f54e33e364ebd72c469a350f072b4f7a05954265af859d9594b656a95d194ce
                                                  • Instruction ID: aae6f966f9ac381729610465d4c92dcd7c5e0efa1648062c58f4968888deb818
                                                  • Opcode Fuzzy Hash: 1f54e33e364ebd72c469a350f072b4f7a05954265af859d9594b656a95d194ce
                                                  • Instruction Fuzzy Hash: 85212879341A066FFB20DF68E8C4B99B7A4EF40391F244166FA1DCA180D3B4E4418F50
                                                  Function 0309F2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03093810: GetProcessHeap.KERNEL32(00000000,00000000,?,03094046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 03093819
                                                    • Part of subcall function 03093810: HeapAlloc.KERNEL32(00000000,?,03094046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 03093820
                                                  • sprintf.MSVCRT ref: 0309F2E9
                                                  • CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 0309F2FA
                                                  • memset.MSVCRT ref: 0309F323
                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,030A09A7,0000000C,?,00000400,00000000,00000000), ref: 0309F352
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309F35B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocCloseControlCreateDeviceFileHandleProcessmemsetsprintf
                                                  • String ID: \\.\%c:
                                                  • API String ID: 2995886503-1260769427
                                                  • Opcode ID: 52da5767520392f2299c31185219bfce1c445cc8b62e5adb946c7d25a1dbfeda
                                                  • Instruction ID: 1d61d3ce74cb0310830c54cb566093d1f1a5632e56af3ea9474b6f1128633312
                                                  • Opcode Fuzzy Hash: 52da5767520392f2299c31185219bfce1c445cc8b62e5adb946c7d25a1dbfeda
                                                  • Instruction Fuzzy Hash: 7021C8F190120D7FEB10DF98AC85EFFB7BCEB85655F0041BAE608A6140D6B40E4446A1
                                                  Function 030981C0 Relevance: 10.6, APIs: 7, Instructions: 61networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WSAStartup.WS2_32(00000202,?), ref: 030981E3
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 030981F9
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0309820F
                                                  • closesocket.WS2_32(00000000), ref: 0309821A
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Startupclosesocketioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 3235567692-0
                                                  • Opcode ID: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                  • Instruction ID: da57cf21f71c34ae6b8e20fedf4a09932b73d8fa2987b8e32cb21c3cedb418d8
                                                  • Opcode Fuzzy Hash: 99a00781a98e2d090824e08d9e6a8e1d87241bac9156ba88cfc4ef0652faaba6
                                                  • Instruction Fuzzy Hash: 8B014935642B1C75FA20E6E8AC06FFE725CCF46720F0042A1FB18AE1C0EBF11A546395
                                                  Function 0309A64A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 18synchronizationthreadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,0309E750,00000000,00000000,00000000), ref: 0309A659
                                                  • MessageBoxA.USER32(00000000,This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!,binBot Error,00000030), ref: 0309A66F
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0309A678
                                                  • ExitProcess.KERNEL32 ref: 0309A680
                                                  Strings
                                                  • binBot Error, xrefs: 0309A661
                                                  • This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!, xrefs: 0309A666
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateExitMessageObjectProcessSingleThreadWait
                                                  • String ID: This binary is invalid.Main reasons:- you stupid cracker- you stupid cracker...- you stupid cracker?!$binBot Error
                                                  • API String ID: 2697768853-794396656
                                                  • Opcode ID: b55a0066413db27c89f48b53dff63b2b469f7f75a9403aafc0006560351f4bd0
                                                  • Instruction ID: 5ee2466f44764d1c28a3fe21fe11b76ed62647b859f1ebdc945bfd1fe702ee7e
                                                  • Opcode Fuzzy Hash: b55a0066413db27c89f48b53dff63b2b469f7f75a9403aafc0006560351f4bd0
                                                  • Instruction Fuzzy Hash: F0E05E317C7F51BBF638A6E0BC0FF4935145B00F52F210600F321BD0C48AD820009759
                                                  Function 03097330 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 60stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$_snprintf_vsnprintfmemset
                                                  • String ID: %s_
                                                  • API String ID: 3230270962-1040268105
                                                  • Opcode ID: 89d152b2b21d45907d0140343fd73e84527e5298f9f03b4152bfa26187b5559f
                                                  • Instruction ID: d7d0ef459953d7752b0a7e47f3f9801cc324e413ecd15b7cc88feecfd0e2c7c9
                                                  • Opcode Fuzzy Hash: 89d152b2b21d45907d0140343fd73e84527e5298f9f03b4152bfa26187b5559f
                                                  • Instruction Fuzzy Hash: D311C876A413197BFB20E6A89C85FFB77ACDB84B50F0805A8B9189B141E5B09E0487A1
                                                  Function 030A02A9 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 57memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 030A02C8
                                                  • strstr.MSVCRT ref: 030A02EF
                                                  • atoi.MSVCRT ref: 030A0322
                                                  • lstrlenA.KERNEL32(00000000), ref: 030A0386
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A03E4
                                                  • HeapFree.KERNEL32(?,00000000,00000000), ref: 030A03EE
                                                  • LeaveCriticalSection.KERNEL32(030DB4E4), ref: 030A03FD
                                                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 030A041F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: FreeHeap$CriticalLeaveSection_snprintfatoilstrlenstrstr
                                                  • String ID: %s=
                                                  • API String ID: 1805118874-2646424381
                                                  • Opcode ID: 8b5c913124138f96a4740efad9529ce2e2595076d320998661e91dad48de8c56
                                                  • Instruction ID: 758645dc60c119e71b2f3ce2a576a82e6a16ae80c35ea76e63ceef402eeb0fd5
                                                  • Opcode Fuzzy Hash: 8b5c913124138f96a4740efad9529ce2e2595076d320998661e91dad48de8c56
                                                  • Instruction Fuzzy Hash: AB11E976A42B0EAFDB20D6D8FC80BFEF3BCFB84200F084069E91857100D671AC418B90
                                                  Function 03094560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 030945D5
                                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,03094BA5,?), ref: 030945FD
                                                  • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000,?,?,00010000,EDB88320,00000000), ref: 03094636
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: File$CreateMappingView_snprintf
                                                  • String ID: %s_%d
                                                  • API String ID: 1261873476-1933919280
                                                  • Opcode ID: e5d90cb27c900d6e28ee5a5ca43db3abaaffdd7cb102ebed79bc5ddad58f24ee
                                                  • Instruction ID: 604e849337e726166725dac961a9cec2a67f1746d42cd1b816d20eb6ee57dc54
                                                  • Opcode Fuzzy Hash: e5d90cb27c900d6e28ee5a5ca43db3abaaffdd7cb102ebed79bc5ddad58f24ee
                                                  • Instruction Fuzzy Hash: 2361E4756017028BE725DF18D880BB6B7E5FF84304F18817DE6868B385D778A8A0DB40
                                                  Function 030950F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 0309510F
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 03095122
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0309512B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                  • String ID: %s-comm$65b46629
                                                  • API String ID: 3057366584-2322470383
                                                  • Opcode ID: 09d96f96f37710aa67488b987de75c44091e976ae5ddf7a4e673f56d43ac4765
                                                  • Instruction ID: a771048e8e752fd329ac023b666adae6e6fc73c3e0de04ef250d16611064663f
                                                  • Opcode Fuzzy Hash: 09d96f96f37710aa67488b987de75c44091e976ae5ddf7a4e673f56d43ac4765
                                                  • Instruction Fuzzy Hash: C1212579A833046FEB54EB51DC41FFF33A8A784701F040699E914AB142EBB59A54CBA0
                                                  Function 0309E4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79sleepmemorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A013
                                                    • Part of subcall function 03099FF0: strtok.MSVCRT ref: 0309A04F
                                                  • lstrlenA.KERNEL32(?), ref: 0309E517
                                                  • _memicmp.MSVCRT ref: 0309E525
                                                  • Sleep.KERNEL32(000003E8), ref: 0309E54E
                                                  • HeapFree.KERNEL32(03490000,00000000,?), ref: 0309E57A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: strtok$FreeHeapSleep_memicmplstrlen
                                                  • String ID: [Login]: %s
                                                  • API String ID: 2470415281-2266835287
                                                  • Opcode ID: 6565077f23f53a6f9f3b72e0b5cdae83ff13d75756233d788bef62f5bf7cdf44
                                                  • Instruction ID: 28d1ef4c0e4e16cb2a2821f58c8155937ec98627c24fb84cee8d9b4020a038f1
                                                  • Opcode Fuzzy Hash: 6565077f23f53a6f9f3b72e0b5cdae83ff13d75756233d788bef62f5bf7cdf44
                                                  • Instruction Fuzzy Hash: FE21A4B9602704AFEB20EA98EC81FABB3ECEB84750F144419F8054B241E775AD40DBA1
                                                  Function 03091C50 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW), ref: 03091C6E
                                                    • Part of subcall function 03093750: LdrGetProcedureAddress.NTDLL(?,00000000,00000000,?), ref: 0309376B
                                                  • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 03091CC6
                                                  • CloseHandle.KERNEL32(00000000), ref: 03091CD9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Handle$AddressCloseFileModuleProcedureWrite
                                                  • String ID: CreateFileW$kernel32.dll
                                                  • API String ID: 2185083974-2113957990
                                                  • Opcode ID: 0a39d605de72b162ef641a6fb3050a0e2ad4895b2b72a27b9b4229beeded0107
                                                  • Instruction ID: 69792dd4341ea59dd73f9c5cbcaafe5fb027613eb88ce6c7af1575cfe31b20f9
                                                  • Opcode Fuzzy Hash: 0a39d605de72b162ef641a6fb3050a0e2ad4895b2b72a27b9b4229beeded0107
                                                  • Instruction Fuzzy Hash: FC0148F6702A197FEB08DEACAC86FEF739D9B45220F148229F921972C0D2745D0457A0
                                                  Function 03095070 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _snprintf.MSVCRT ref: 0309508F
                                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 030950A2
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 030950AB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CreateMutexObjectSingleWait_snprintf
                                                  • String ID: %s-pid$65b46629
                                                  • API String ID: 3057366584-3921207861
                                                  • Opcode ID: 3b0579aec969957e697b0440ebf3f869effb9950072c89b5b1cadd17318b9668
                                                  • Instruction ID: 05dd2f8e9e48a9553fdee537db0486efe7240129b32f00259572e68c67d28888
                                                  • Opcode Fuzzy Hash: 3b0579aec969957e697b0440ebf3f869effb9950072c89b5b1cadd17318b9668
                                                  • Instruction Fuzzy Hash: D2F059B49433046BFF60F2B1AC8AFDB32A89340711F040256F714990C0E9F545949AA1
                                                  Function 030916F0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 88stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: strstr$lstrcmp
                                                  • String ID: bdns$block
                                                  • API String ID: 142677638-4143068083
                                                  • Opcode ID: f0a04a56d1fb1c7a857c2294933f2dae90ece6bbb07525e63eaa4e0eb922a259
                                                  • Instruction ID: add74a09c475fbd51901eb0bebf46cb163f7d6657a0f14f0a3404ba1c6ca3ba0
                                                  • Opcode Fuzzy Hash: f0a04a56d1fb1c7a857c2294933f2dae90ece6bbb07525e63eaa4e0eb922a259
                                                  • Instruction Fuzzy Hash: 3421C77674260A6BAF14DE88BC45DBFB3BCDB98611F04411AFC0597241E774E91096B1
                                                  Function 03097E20 Relevance: 7.6, APIs: 5, Instructions: 65networkmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LocalAlloc.KERNEL32(00000040,0000103A), ref: 03097E2C
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 03097E63
                                                  • ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 03097E7A
                                                  • connect.WS2_32(?,00000008,00000010), ref: 03097E8B
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: AllocLocalconnectioctlsocketsocket
                                                  • String ID:
                                                  • API String ID: 3721573447-0
                                                  • Opcode ID: 775eb1beedc12171199c19eaa8f6388c8347a784b50ee8eefcf7caa874e6ec2b
                                                  • Instruction ID: bb5811eb69cf4d42104daafcc357994aefee09e22618194134517b55d24a4db8
                                                  • Opcode Fuzzy Hash: 775eb1beedc12171199c19eaa8f6388c8347a784b50ee8eefcf7caa874e6ec2b
                                                  • Instruction Fuzzy Hash: 5C112E35A01704AFD720DF99D809FD6B7E8DF49720F00465AF959DB390D3B158549790
                                                  Function 0309E770 Relevance: 7.6, APIs: 5, Instructions: 50registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?), ref: 0309E77C
                                                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000012,?), ref: 0309E793
                                                  • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 0309E7B5
                                                  • RegNotifyChangeKeyValue.ADVAPI32(?,00000000,00000004,00000000,00000000), ref: 0309E7C3
                                                  • RegCloseKey.ADVAPI32(?), ref: 0309E7D1
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Value$ChangeCloseNotifyOpenlstrlen
                                                  • String ID:
                                                  • API String ID: 2592630252-0
                                                  • Opcode ID: 6015cb0d7455e5eba7f6dd6b514b0d28dd604f829f3fdb934b0784f992394eaa
                                                  • Instruction ID: 50f5a3c562c85d86ad96c7c188bf0f8d0a8a1d52dd417748f4140b2bffb22add
                                                  • Opcode Fuzzy Hash: 6015cb0d7455e5eba7f6dd6b514b0d28dd604f829f3fdb934b0784f992394eaa
                                                  • Instruction Fuzzy Hash: 2D015E75340704BFEB24DA65DC89F9777ACEB88B50F108419BA0597284D6B4E800DB60
                                                  Function 03097700 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309771E
                                                  • _snprintf.MSVCRT ref: 03097738
                                                  • lstrlenA.KERNEL32(00000000), ref: 03097747
                                                    • Part of subcall function 03094900: WaitForSingleObject.KERNEL32(03097495,000000FF,?,00000000,771B0440,?,03097495), ref: 03094939
                                                    • Part of subcall function 03094900: ReleaseMutex.KERNEL32(?,?,03097495), ref: 0309497C
                                                  • lstrcmpA.KERNEL32(00000000,030A1A30), ref: 0309777F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: MutexObjectReleaseSingleWait_snprintflstrcmplstrlenmemset
                                                  • String ID: state_%s
                                                  • API String ID: 1716770999-3670522127
                                                  • Opcode ID: eb85f03a430347ce499cca51edd68b944b938437c05121bba5d0f4734d84a543
                                                  • Instruction ID: 8fe20ede1a0dc52b81b5a8bc2de68e6eef99425f8a4e1637189752c1c2a4a802
                                                  • Opcode Fuzzy Hash: eb85f03a430347ce499cca51edd68b944b938437c05121bba5d0f4734d84a543
                                                  • Instruction Fuzzy Hash: D4012BB9A513086EDB14F6A8ED0AFF973AC9B44600F0041D4B62896041F5705A044A90
                                                  Function 03092510 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 30stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 0309251D
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  • C:\Windows\SysWOW64\calc.exe, xrefs: 03092539
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 03092517
                                                  • pdef, xrefs: 03092527
                                                  • %s.Blocked "%s" from moving our bot file, xrefs: 03092543
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$CriticalSection_snprintfsprintf$CreateEnterFileLeave_vsnprintflstrcmp
                                                  • String ID: %s.Blocked "%s" from moving our bot file$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef
                                                  • API String ID: 3823578686-690228127
                                                  • Opcode ID: 8d2badb211675159a187723761c01d6bac0b810fd06da24a75a3277618117d69
                                                  • Instruction ID: 8d0d9bd3aa4689c9d7c267618b3ba990e8115910092e907c859d8e7b954ab253
                                                  • Opcode Fuzzy Hash: 8d2badb211675159a187723761c01d6bac0b810fd06da24a75a3277618117d69
                                                  • Instruction Fuzzy Hash: 4BE09237B53A187BDA00F68C7C02EDE779CEB29662F084022F915ED102D262A51153AA
                                                  Function 03092570 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 30stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpW.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 0309257D
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  • C:\Windows\SysWOW64\calc.exe, xrefs: 03092599
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 03092577
                                                  • pdef, xrefs: 03092587
                                                  • %s.Blocked "%S" from moving our bot file, xrefs: 030925A3
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$CriticalSection_snprintfsprintf$CreateEnterFileLeave_vsnprintflstrcmp
                                                  • String ID: %s.Blocked "%S" from moving our bot file$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef
                                                  • API String ID: 3823578686-4050810661
                                                  • Opcode ID: c633f89bd6b4113e6dc875789ad95fca9e81b86a51897c75dab6f4f36597f276
                                                  • Instruction ID: 61d4cf36b76f9b1d4e9d22176cec44a8e02936a457aec88b61e4a22c0d9359d8
                                                  • Opcode Fuzzy Hash: c633f89bd6b4113e6dc875789ad95fca9e81b86a51897c75dab6f4f36597f276
                                                  • Instruction Fuzzy Hash: ABE0D837743B187BDA40F5CCBC01EDF779CAB21662F044023F825DE102D263A51053AA
                                                  Function 030915C0 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 28stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpA.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 030915CD
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  • C:\Windows\SysWOW64\calc.exe, xrefs: 030915E9
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 030915C7
                                                  • %s.Blocked "%s" from removing our bot file!, xrefs: 030915F3
                                                  • pdef, xrefs: 030915D7
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$CriticalSection_snprintfsprintf$CreateEnterFileLeave_vsnprintflstrcmp
                                                  • String ID: %s.Blocked "%s" from removing our bot file!$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef
                                                  • API String ID: 3823578686-3336909930
                                                  • Opcode ID: 1cb79cfa6b7f6b71db8d84f22a4058a19d7250c6deada2ebf81a0550dffc10fa
                                                  • Instruction ID: 4504e55d7f0511f7ced226edea483b3f7cc9ca20c572a406b1f1d3dee2a0bda7
                                                  • Opcode Fuzzy Hash: 1cb79cfa6b7f6b71db8d84f22a4058a19d7250c6deada2ebf81a0550dffc10fa
                                                  • Instruction Fuzzy Hash: BFE0D877F53B147BDA00F5CC7C41DCE738C9B296A2F080033F515AD002D253A01052AE
                                                  Function 03091620 Relevance: 7.5, APIs: 1, Strings: 4, Instructions: 28stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcmpW.KERNEL32(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe), ref: 0309162D
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A335
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A34F
                                                    • Part of subcall function 0309A310: memset.MSVCRT ref: 0309A369
                                                    • Part of subcall function 0309A310: _vsnprintf.MSVCRT ref: 0309A382
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A39A
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB,%s.%s,blk,?,?,000001FE,030A0A8E), ref: 0309A3AD
                                                    • Part of subcall function 0309A310: _snprintf.MSVCRT ref: 0309A3CC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000,771B0440,?,030974EB), ref: 0309A3DB
                                                    • Part of subcall function 0309A310: sprintf.MSVCRT ref: 0309A3EC
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A3FB
                                                    • Part of subcall function 0309A310: lstrlenA.KERNEL32(30e4*ga1,?,?,?,?,?,?,?,?,?,?,?,00000000,000003FF,?,00000000), ref: 0309A404
                                                    • Part of subcall function 0309A310: EnterCriticalSection.KERNEL32(030DAC34,?,?,00000000), ref: 0309A436
                                                    • Part of subcall function 0309A310: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000000,00000000), ref: 0309A452
                                                    • Part of subcall function 0309A310: LeaveCriticalSection.KERNEL32(030DAC34,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0309A464
                                                  Strings
                                                  • %s.Blocked "%S" from removing our bot file!, xrefs: 03091653
                                                  • C:\Windows\SysWOW64\calc.exe, xrefs: 03091649
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 03091627
                                                  • pdef, xrefs: 03091637
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$CriticalSection_snprintfsprintf$CreateEnterFileLeave_vsnprintflstrcmp
                                                  • String ID: %s.Blocked "%S" from removing our bot file!$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Windows\SysWOW64\calc.exe$pdef
                                                  • API String ID: 3823578686-263097679
                                                  • Opcode ID: b559b6ceecf1d89ca71cb3e76c03ef6b77c8d5317c9204e5f60ac32b48a4281f
                                                  • Instruction ID: 66e769b13c0665e02bda6d85abf80809a71f3dd4a6ecd6bd81cd2f1d9b8e4671
                                                  • Opcode Fuzzy Hash: b559b6ceecf1d89ca71cb3e76c03ef6b77c8d5317c9204e5f60ac32b48a4281f
                                                  • Instruction Fuzzy Hash: A5E0DF77B43B287BDA10F5C87C02DCF739C9B21AA2F080023F525ED006D193A01052AE
                                                  Function 03096D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,?,03096C55,00000000), ref: 03096DA1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID: NtQueryInformationProcess$NtSetInformationProcess$ntdll.dll
                                                  • API String ID: 4139908857-4148885600
                                                  • Opcode ID: 74c5f909828bc4601f9fd3d566022af354b7fd1c6666a0e9dd2ae8caedb34e42
                                                  • Instruction ID: 8e5f7586d103fb6a860bc9510feff7ee227744db20eca6e9955c1b4e949eafd9
                                                  • Opcode Fuzzy Hash: 74c5f909828bc4601f9fd3d566022af354b7fd1c6666a0e9dd2ae8caedb34e42
                                                  • Instruction Fuzzy Hash: F101D4767477183BFE20D59DAC45FEAB39CCB86639F040193FE08EB240DAA1990096E4
                                                  Function 0309FAA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ProcWindowsprintf
                                                  • String ID: %c:\$[USB]: Infected %s
                                                  • API String ID: 3179433310-2800184719
                                                  • Opcode ID: 42712fb9dbd405a2d00994064158bbdbc0c035f63775b6dcafc2d6ff8f990ebb
                                                  • Instruction ID: c6ca91408260b5db25c8afb4532b47479df76e68c77cb1e55c844823d63ceb55
                                                  • Opcode Fuzzy Hash: 42712fb9dbd405a2d00994064158bbdbc0c035f63775b6dcafc2d6ff8f990ebb
                                                  • Instruction Fuzzy Hash: EA112CB950120D5FEF10EE68EC51FBF73ACEB44205F08854AEE05DA102E675D911DB60
                                                  Function 0309D760 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03097700: memset.MSVCRT ref: 0309771E
                                                    • Part of subcall function 03097700: _snprintf.MSVCRT ref: 03097738
                                                    • Part of subcall function 03097700: lstrlenA.KERNEL32(00000000), ref: 03097747
                                                  • Sleep.KERNEL32(00001388), ref: 0309D78A
                                                  • Sleep.KERNEL32(00002710), ref: 0309D795
                                                  • ExitProcess.KERNEL32 ref: 0309D799
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Sleep$ExitProcess_snprintflstrlenmemset
                                                  • String ID: bsod
                                                  • API String ID: 706155222-1315366068
                                                  • Opcode ID: 84da193b2c54bab2223ad3044860440eb868884d92ed074d2165e3d2becd5313
                                                  • Instruction ID: 7cbfee57dec082509bbf7700c03f505a463455d4bec3f0c68786ea19495af06e
                                                  • Opcode Fuzzy Hash: 84da193b2c54bab2223ad3044860440eb868884d92ed074d2165e3d2becd5313
                                                  • Instruction Fuzzy Hash: 8BD0A7729C7F30A3EA2173792C09F8FE874DF80F61F060611E805AF584A594294195E6
                                                  Function 0309E840 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03097330: memset.MSVCRT ref: 03097351
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(?), ref: 03097369
                                                    • Part of subcall function 03097330: _snprintf.MSVCRT ref: 03097381
                                                    • Part of subcall function 03097330: _vsnprintf.MSVCRT ref: 030973A3
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(00000000), ref: 030973B2
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000D760,00000000,00000000,00000000), ref: 0309E861
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309E868
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CloseCreateHandleThread_snprintf_vsnprintfmemset
                                                  • String ID: admin$isadmin
                                                  • API String ID: 3136305548-1977506819
                                                  • Opcode ID: 4eb45201b199222a1d8cea3d2db4e2bdfbaf17eeb54b508c8081af709d5615f4
                                                  • Instruction ID: d1e704860061467a0056532744574d1c32efd569c6f2f11a6d88a436af191422
                                                  • Opcode Fuzzy Hash: 4eb45201b199222a1d8cea3d2db4e2bdfbaf17eeb54b508c8081af709d5615f4
                                                  • Instruction Fuzzy Hash: 68D0C9797D2B007AF520A2A47D0FF0961481764F06F504921B610AD0C6A5D5601055A9
                                                  Function 03092880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03092460: GetProcessHeap.KERNEL32(?,030920DE,?), ref: 0309246C
                                                    • Part of subcall function 03092460: HeapAlloc.KERNEL32(03490000,00000008,030920DE,?,030920DE,?), ref: 0309247E
                                                  • inet_addr.WS2_32(?), ref: 030928BE
                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 03092939
                                                  • _stricmp.MSVCRT(?,?,?), ref: 0309294E
                                                  • DnsFree.DNSAPI(?,00000001), ref: 030929D9
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                  • String ID:
                                                  • API String ID: 3002912770-0
                                                  • Opcode ID: fb5c100c6546f9da26b6093bdf0cc4a741635be4c3e52991e9b7826daa34485b
                                                  • Instruction ID: fd8cec7f3160946a060300331174f890f6d9aa1d0b0f499547a556123f17d8c2
                                                  • Opcode Fuzzy Hash: fb5c100c6546f9da26b6093bdf0cc4a741635be4c3e52991e9b7826daa34485b
                                                  • Instruction Fuzzy Hash: 3051B274602208FFEB20DF58D880BAAB3FDEF85704F14485AD5899B384D771A941EB91
                                                  Function 0309D530 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 121sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(000003E8), ref: 0309D5E4
                                                    • Part of subcall function 03098F50: ApplyControlToken.SECUR32(?,?), ref: 03098FB5
                                                    • Part of subcall function 03098F50: InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 03098FF9
                                                    • Part of subcall function 03098F50: DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 03099025
                                                    • Part of subcall function 03098F50: FreeCredentialsHandle.SECUR32(?), ref: 0309902F
                                                  • Sleep.KERNEL32(0000000F), ref: 0309D659
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: ContextSecuritySleep$ApplyControlCredentialsDeleteFreeHandleInitializeToken
                                                  • String ID: %s:%d$cnc
                                                  • API String ID: 3241915987-1903477246
                                                  • Opcode ID: cd8233f60016f1a8059f94cb3c1dcf2ff836969587eea1c894ee2a7311ddcf37
                                                  • Instruction ID: 26cac80b203ed02bc48775cc0dba3c46b925fba640772a0acdbf8d3bf4f31105
                                                  • Opcode Fuzzy Hash: cd8233f60016f1a8059f94cb3c1dcf2ff836969587eea1c894ee2a7311ddcf37
                                                  • Instruction Fuzzy Hash: B341C676A02204EBEF10EB9CEC809AEF7F9EBC5614F044556E809DB305EA35ED0097A1
                                                  Function 03098F50 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ApplyControlToken.SECUR32(?,?), ref: 03098FB5
                                                  • InitializeSecurityContextA.SECUR32(?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 03098FF9
                                                  • DeleteSecurityContext.SECUR32(?,?,?,00000000,0008C11C,00000000,00000010,00000000,00000000,?,?,?,?), ref: 03099025
                                                  • FreeCredentialsHandle.SECUR32(?), ref: 0309902F
                                                    • Part of subcall function 03098760: FreeContextBuffer.SECUR32(?), ref: 03098774
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Context$FreeSecurity$ApplyBufferControlCredentialsDeleteHandleInitializeToken
                                                  • String ID:
                                                  • API String ID: 362823901-0
                                                  • Opcode ID: 473ee72a4d03c2c80bec0a231b0367761dacc4df10a6cb77e3194db2c88e40e6
                                                  • Instruction ID: c23042b42c1a4ed18a0768c31cc8186e1f466a4653b46617df7cfa2b136a76aa
                                                  • Opcode Fuzzy Hash: 473ee72a4d03c2c80bec0a231b0367761dacc4df10a6cb77e3194db2c88e40e6
                                                  • Instruction Fuzzy Hash: E641D5B1C01609ABDF10DF9AC8849EEFBFCFF98304F10850EE515A7650D7B5A6449BA4
                                                  Function 03094900 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(03097495,000000FF,?,00000000,771B0440,?,03097495), ref: 03094939
                                                  • ReleaseMutex.KERNEL32(?,?,03097495), ref: 0309497C
                                                  • ReleaseMutex.KERNEL32(-0000FFFF,?,03097495), ref: 030949A5
                                                  • ReleaseMutex.KERNEL32(03097495,?,03097495), ref: 030949D1
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: MutexRelease$ObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 257779224-0
                                                  • Opcode ID: a8485d8db2325626db5c9e1cd3b28e78fb519d08419105189e5ad9097423a2fe
                                                  • Instruction ID: 0e29e9c28a76495f1ac6b8cdfe62aa73d5df88014d3df8c55c4b60403dd89070
                                                  • Opcode Fuzzy Hash: a8485d8db2325626db5c9e1cd3b28e78fb519d08419105189e5ad9097423a2fe
                                                  • Instruction Fuzzy Hash: B32165312062068BEF64DF6AE8447A6B3EDFF81368F1D4567E588C7240E774D852D790
                                                  Function 030949F0 Relevance: 6.1, APIs: 4, Instructions: 93synchronizationCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,771B0440,?,030973CC,030C7C98,00000000,00000000,00000010,00000000), ref: 03094A10
                                                  • ReleaseMutex.KERNEL32(00000000,?,?,00000000), ref: 03094A77
                                                  • ReleaseMutex.KERNEL32(?,?,?,00000000), ref: 03094AA9
                                                  • ReleaseMutex.KERNEL32(?,00000000), ref: 03094ABC
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: MutexRelease$ObjectSingleWait
                                                  • String ID:
                                                  • API String ID: 257779224-0
                                                  • Opcode ID: 96a09f6ac12624645cd4780118786f043f883aa46a9fbcf94da1f8136c067c4b
                                                  • Instruction ID: 7a56598c677dc86973f8a77e10263cf4ec8e198bee914933bdc74c5241a6c508
                                                  • Opcode Fuzzy Hash: 96a09f6ac12624645cd4780118786f043f883aa46a9fbcf94da1f8136c067c4b
                                                  • Instruction Fuzzy Hash: CE2186762062159BEF50DE6AEC815EAB3E9EFC0654B19452BFC48CB340EB30D9439794
                                                  Function 030911C0 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 030911E1
                                                  • GetFileAttributesA.KERNEL32(?), ref: 03091201
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000208), ref: 03091241
                                                  • ExitThread.KERNEL32 ref: 03091261
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: AttributesByteCharExitFileMultiThreadWidememset
                                                  • String ID:
                                                  • API String ID: 1389112251-0
                                                  • Opcode ID: 807455fd8537f72f53b0de5dfc342fef1d2f6e9ea62eeecd9b3976882866b2ba
                                                  • Instruction ID: 716388bfa2605211f1ba5e4c57d355847b8caba908e382166d264278a4d151c0
                                                  • Opcode Fuzzy Hash: 807455fd8537f72f53b0de5dfc342fef1d2f6e9ea62eeecd9b3976882866b2ba
                                                  • Instruction Fuzzy Hash: AA218076201619ABEB54EF58EC49FEB37BCEB89711F044209FD1597280DA34A821CBA0
                                                  Function 0309D6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 0309D6FD
                                                  • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,?), ref: 0309D731
                                                  • RegCloseKey.ADVAPI32(?), ref: 0309D740
                                                  • RegCloseKey.ADVAPI32(?), ref: 0309D753
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateValue
                                                  • String ID:
                                                  • API String ID: 1009429713-0
                                                  • Opcode ID: 4dc5628b74a95141ce3f2b0e725eea2657c16eb95f3a0a7072057e5cc48d680b
                                                  • Instruction ID: 55ae43b6637fabc76e07606c4855a33f5b55046cb6d4c80438fb4bdd85fa10b6
                                                  • Opcode Fuzzy Hash: 4dc5628b74a95141ce3f2b0e725eea2657c16eb95f3a0a7072057e5cc48d680b
                                                  • Instruction Fuzzy Hash: 55213075741209BBEB14DF94DD46FBB73BCEB88B44F144544FA05AB284E6B4FA009BA0
                                                  Function 03097EF0 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: FreeLocal$closesocket
                                                  • String ID:
                                                  • API String ID: 1824021853-0
                                                  • Opcode ID: 3bec10723cf070dc2e555549c94def9f0f8da0e614ce482253ebc24f6fcc0937
                                                  • Instruction ID: 27ed2e0a597bb718b8d427475108e5d64f80487f234ad1b8530576ea49c9cbc2
                                                  • Opcode Fuzzy Hash: 3bec10723cf070dc2e555549c94def9f0f8da0e614ce482253ebc24f6fcc0937
                                                  • Instruction Fuzzy Hash: B1017C377026149FDB21DE59E89489AB3E9FF89BA135804AAF548DB310C731EC41DBA0
                                                  Function 0309A800 Relevance: 6.0, APIs: 4, Instructions: 49stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: strchr$CountSleepTick
                                                  • String ID:
                                                  • API String ID: 735077530-0
                                                  • Opcode ID: b3209905ddb0f12c9715f55316b64d7311949ef259e03d389c89a49c4de64b0e
                                                  • Instruction ID: 5013ee55900939cb8237e58fa4fd5d1f0cf1a253710bbf27d013a2f5cbb09ec2
                                                  • Opcode Fuzzy Hash: b3209905ddb0f12c9715f55316b64d7311949ef259e03d389c89a49c4de64b0e
                                                  • Instruction Fuzzy Hash: 08F02D7E30270457EB00E2A8AC85BDB739ADBC4761F1404A5FD0A8B240FD79DD0155B2
                                                  Function 0309A790 Relevance: 6.0, APIs: 4, Instructions: 44stringsleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: strchr$CountSleepTick
                                                  • String ID:
                                                  • API String ID: 735077530-0
                                                  • Opcode ID: d2eaec852213ec2d6200211050fcd75617d69e41046769c994d9dd451c6d5074
                                                  • Instruction ID: 14f87b7772da5cb41766cd243b075ee4df33c62498df80f14a79c49cbda9b01c
                                                  • Opcode Fuzzy Hash: d2eaec852213ec2d6200211050fcd75617d69e41046769c994d9dd451c6d5074
                                                  • Instruction Fuzzy Hash: 87F02B7A6037156BEA20E269FC86ACBF7DCDBC0661F0805A2ED059F201E52D994485F1
                                                  Function 0309A080 Relevance: 6.0, APIs: 4, Instructions: 42fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0309A0A2
                                                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0309A0C0
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309A0CB
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309A0D8
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CloseFileHandle$CreateWrite
                                                  • String ID:
                                                  • API String ID: 3602564925-0
                                                  • Opcode ID: ba19dde8461c768fdc185a76379d7285b4c4881c7df2e6b2555793646acab609
                                                  • Instruction ID: ce933e78e5fac1e3026b11b49e43e991bd11186f3b68a115bf306d320e598113
                                                  • Opcode Fuzzy Hash: ba19dde8461c768fdc185a76379d7285b4c4881c7df2e6b2555793646acab609
                                                  • Instruction Fuzzy Hash: F1F0F671302614BBE724EB9CEC0DFDA37ACEB88720F000244FD08D72C0D670680087A4
                                                  Function 030A0880 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 40stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03094900: WaitForSingleObject.KERNEL32(03097495,000000FF,?,00000000,771B0440,?,03097495), ref: 03094939
                                                    • Part of subcall function 03094900: ReleaseMutex.KERNEL32(?,?,03097495), ref: 0309497C
                                                  • lstrlenA.KERNEL32(00000000,00000000,%s.p10-> Message to %s hijacked!,msn), ref: 030A08B1
                                                    • Part of subcall function 03097330: memset.MSVCRT ref: 03097351
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(?), ref: 03097369
                                                    • Part of subcall function 03097330: _snprintf.MSVCRT ref: 03097381
                                                    • Part of subcall function 03097330: _vsnprintf.MSVCRT ref: 030973A3
                                                    • Part of subcall function 03097330: lstrlenA.KERNEL32(00000000), ref: 030973B2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$MutexObjectReleaseSingleWait_snprintf_vsnprintfmemset
                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                  • API String ID: 1310428588-4225137719
                                                  • Opcode ID: 9c7d7d5eb9c6c2d251e6d835f259e8a2c8773f1ab3c6d8d638e7d531ff8390af
                                                  • Instruction ID: 98ae16d026cdcd9a7ac34c7cfdfcf429f7f50bc0c242bfc485fce682fb812d27
                                                  • Opcode Fuzzy Hash: 9c7d7d5eb9c6c2d251e6d835f259e8a2c8773f1ab3c6d8d638e7d531ff8390af
                                                  • Instruction Fuzzy Hash: 24F0E23BB576283EE620E6DDBC02FEF768CCB81A61F040196FD08AA202E8954D0102E5
                                                  Function 030A0820 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 03094900: WaitForSingleObject.KERNEL32(03097495,000000FF,?,00000000,771B0440,?,03097495), ref: 03094939
                                                    • Part of subcall function 03094900: ReleaseMutex.KERNEL32(?,?,03097495), ref: 0309497C
                                                  • lstrlenA.KERNEL32(00000000,?,?,03092696), ref: 030A084B
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097401
                                                    • Part of subcall function 030973E0: memset.MSVCRT ref: 03097419
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 03097431
                                                    • Part of subcall function 030973E0: _snprintf.MSVCRT ref: 03097449
                                                    • Part of subcall function 030973E0: _vsnprintf.MSVCRT ref: 0309746B
                                                    • Part of subcall function 030973E0: lstrlenA.KERNEL32(?), ref: 0309747A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$memset$MutexObjectReleaseSingleWait_snprintf_vsnprintf
                                                  • String ID: %s_0x%08X$bmsn$msnmsg
                                                  • API String ID: 3682388603-4225137719
                                                  • Opcode ID: 30173eec7d763d8b7691dc43e613da5b7c55babe6b41ae5132ea230cf00e27f6
                                                  • Instruction ID: c38f76cfd346a04ce4ec26b1809c211084481873f5a6767e092e971241e5ff23
                                                  • Opcode Fuzzy Hash: 30173eec7d763d8b7691dc43e613da5b7c55babe6b41ae5132ea230cf00e27f6
                                                  • Instruction Fuzzy Hash: 25F0A776A976293FEA10F6EC7C02FFF728CCB41950F040191FC18AA141E9955D1102E5
                                                  Function 0309B990 Relevance: 6.0, APIs: 4, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309B9AF
                                                  • EnterCriticalSection.KERNEL32(030DA6C8,?,?,00000000), ref: 0309B9BC
                                                  • wvsprintfA.USER32(00000000,?,00000000), ref: 0309B9D1
                                                    • Part of subcall function 03098B30: memset.MSVCRT ref: 03098B6E
                                                  • LeaveCriticalSection.KERNEL32(030DA6C8,?,?,?,?,?,00000000), ref: 0309B9F2
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CriticalSectionmemset$EnterLeavewvsprintf
                                                  • String ID:
                                                  • API String ID: 2410102678-0
                                                  • Opcode ID: 270382067432486bb299b88da9107f1707ebefbd1813f9df261c85b149692264
                                                  • Instruction ID: f8f4f026f80527277ea7f64339483aeb136f26b68fea2a185182bf35e6cb9a7e
                                                  • Opcode Fuzzy Hash: 270382067432486bb299b88da9107f1707ebefbd1813f9df261c85b149692264
                                                  • Instruction Fuzzy Hash: 1DF02BB9E013186FC710FB94EC09FEE3B6CEF44655F044195FF08A6240E670AA058BA4
                                                  Function 0309E990 Relevance: 6.0, APIs: 4, Instructions: 31sleepsynchronizationthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000DD20,00000000,00000000,00000000), ref: 0309E9BF
                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0309E9C6
                                                  • CloseHandle.KERNEL32(00000000), ref: 0309E9C9
                                                  • Sleep.KERNEL32(0000EA60), ref: 0309E9D4
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleObjectSingleSleepThreadWait
                                                  • String ID:
                                                  • API String ID: 422747524-0
                                                  • Opcode ID: 6492d962ac752e7127b91970077353e807c919af7145e99a421958588382d8a9
                                                  • Instruction ID: c890a1ff1fa7f089e1b47dbaa3ef9841fb09c3985ad59b109684953051f5a58e
                                                  • Opcode Fuzzy Hash: 6492d962ac752e7127b91970077353e807c919af7145e99a421958588382d8a9
                                                  • Instruction Fuzzy Hash: DDF0EC31243E15FBE770A649FC45F5AB39CE745721F280116F310961C482E42981D7A5
                                                  Function 0309BA00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0309BA1E
                                                  • wvsprintfA.USER32(00000000,00000000,00000000), ref: 0309BA42
                                                    • Part of subcall function 0309B990: memset.MSVCRT ref: 0309B9AF
                                                    • Part of subcall function 0309B990: EnterCriticalSection.KERNEL32(030DA6C8,?,?,00000000), ref: 0309B9BC
                                                    • Part of subcall function 0309B990: wvsprintfA.USER32(00000000,?,00000000), ref: 0309B9D1
                                                    • Part of subcall function 0309B990: LeaveCriticalSection.KERNEL32(030DA6C8,?,?,?,?,?,00000000), ref: 0309B9F2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000011.00000002.2522445472.0000000003090000.00000040.00000400.00020000.00000000.sdmp, Offset: 03090000, based on PE: true
                                                  • Associated: 00000011.00000002.2522445472.00000000030C7000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DA000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  • Associated: 00000011.00000002.2522445472.00000000030DC000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_17_2_3090000_calc.jbxd
                                                  Similarity
                                                  • API ID: CriticalSectionmemsetwvsprintf$EnterLeave
                                                  • String ID: PPPPMSG %s :%s
                                                  • API String ID: 3980427996-569775469
                                                  • Opcode ID: 4ab01e6cb97b949202e37f1afb8fc41a4c06b7657a068076d019cc37209d0481
                                                  • Instruction ID: da6a43ed83cf1e9cbdab454de971c4ac57e0023e8e3b4c4c1c37684cc949c766
                                                  • Opcode Fuzzy Hash: 4ab01e6cb97b949202e37f1afb8fc41a4c06b7657a068076d019cc37209d0481
                                                  • Instruction Fuzzy Hash: D4F0967590120DABDF50EA54EC45FAA73BCFB44740F0481A9B84857241FA74AA588F91

                                                  Executed Functions

                                                  Function 02ABB480 Relevance: 66.9, APIs: 28, Strings: 10, Instructions: 363memorystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 75 2abb480-2abb4d7 memset call 2ab73e0 78 2abb4d9-2abb4de call 2ab1ba0 75->78 79 2abb4f7-2abb504 75->79 84 2abb4e3-2abb4f1 78->84 80 2abb511-2abb519 79->80 81 2abb506-2abb50f 79->81 83 2abb51a-2abb522 lstrcpyA 80->83 81->83 85 2abb528-2abb558 HeapAlloc GetVersionExA 83->85 86 2abb5f7-2abb5fa 83->86 84->79 87 2abb55e-2abb567 85->87 88 2abb5ec 85->88 89 2abb71b-2abb735 call 2aba2c0 86->89 90 2abb600-2abb628 HeapAlloc call 2abaa10 86->90 91 2abb59a-2abb59d 87->91 92 2abb569-2abb571 87->92 93 2abb5f1-2abb5f4 88->93 103 2abb81b-2abb884 call 2ab35f0 * 4 _snprintf * 2 89->103 104 2abb73b-2abb7b7 HeapAlloc * 4 _snprintf * 2 89->104 99 2abb62d-2abb632 90->99 100 2abb59f-2abb5a7 91->100 101 2abb5e1-2abb5ea 91->101 96 2abb57e-2abb581 92->96 97 2abb573-2abb57c 92->97 98 2abb5f5 lstrcpyA 93->98 105 2abb58e-2abb591 96->105 106 2abb583-2abb58c 96->106 97->98 98->86 107 2abb638-2abb64d strstr 99->107 108 2abb6e6-2abb701 GetLocaleInfoA 99->108 109 2abb5a9-2abb5ad 100->109 110 2abb5c5-2abb5c8 100->110 101->98 148 2abb891-2abb899 103->148 149 2abb886-2abb88f 103->149 111 2abb7b9-2abb7c2 104->111 112 2abb7c4-2abb7cc 104->112 105->101 117 2abb593-2abb598 105->117 106->98 118 2abb64f-2abb659 lstrlenA 107->118 119 2abb6b2-2abb6cd GetLocaleInfoA 107->119 115 2abb70e-2abb714 108->115 116 2abb703-2abb70c 108->116 120 2abb5ba-2abb5c3 109->120 121 2abb5af-2abb5b8 109->121 110->101 113 2abb5ca-2abb5cd 110->113 122 2abb7cd-2abb7e9 lstrcpyA 111->122 112->122 123 2abb5cf-2abb5d4 113->123 124 2abb5d6-2abb5df 113->124 129 2abb715-2abb718 115->129 128 2abb719 lstrcpyA 116->128 117->93 130 2abb65b-2abb668 lstrlenA 118->130 131 2abb66a-2abb685 GetLocaleInfoA 118->131 125 2abb6cf-2abb6d4 119->125 126 2abb6d6-2abb6e1 119->126 120->98 121->98 135 2abb7eb-2abb804 _snprintf 122->135 136 2abb809-2abb816 122->136 123->93 124->98 125->129 126->128 128->89 129->128 130->131 132 2abb6a2-2abb6b0 lstrcmpA 130->132 133 2abb687-2abb690 131->133 134 2abb695-2abb6a0 131->134 132->119 138 2abb6e3-2abb6e4 132->138 133->128 134->128 139 2abb8e8-2abb8f0 135->139 140 2abb8e0-2abb8e5 _snprintf 136->140 138->129 142 2abb8fb-2abb8fe 139->142 143 2abb8f2-2abb8f8 ??3@YAXPAX@Z 139->143 140->139 143->142 150 2abb89a-2abb8b6 lstrcpyA 148->150 149->150 151 2abb8b8-2abb8d1 _snprintf 150->151 152 2abb8d3-2abb8df 150->152 151->139 152->140
                                                  APIs
                                                  • memset.MSVCRT ref: 02ABB4A2
                                                    • Part of subcall function 02AB73E0: memset.MSVCRT ref: 02AB7401
                                                    • Part of subcall function 02AB73E0: memset.MSVCRT ref: 02AB7419
                                                    • Part of subcall function 02AB73E0: lstrlenA.KERNEL32(?), ref: 02AB7431
                                                    • Part of subcall function 02AB73E0: _snprintf.MSVCRT ref: 02AB7449
                                                    • Part of subcall function 02AB73E0: _vsnprintf.MSVCRT ref: 02AB746B
                                                    • Part of subcall function 02AB73E0: lstrlenA.KERNEL32(?), ref: 02AB747A
                                                  • lstrcpyA.KERNEL32(?,02AC1335,?,?,00000000), ref: 02ABB51A
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,00000000), ref: 02ABB536
                                                  • GetVersionExA.KERNEL32(?,?,?,00000000), ref: 02ABB550
                                                  • lstrcpyA.KERNEL32(?,ERR,?,?,00000000), ref: 02ABB5F5
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,00000000), ref: 02ABB60D
                                                  • strstr.MSVCRT ref: 02ABB641
                                                  • lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 02ABB650
                                                  • lstrlenA.KERNEL32(-00000004,?,?,?,?,?,?,?,?,00000000), ref: 02ABB65F
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400,?,?,?,?,?,?,?,?,00000000), ref: 02ABB67D
                                                  • lstrcmpA.KERNEL32(-00000004,02AC2BE4,?,?,?,?,?,?,?,?,00000000), ref: 02ABB6A8
                                                  • GetLocaleInfoA.KERNEL32(00000800,00000007,00000000,00000400,?,?,?,?,?,?,?,?,00000000), ref: 02ABB6C5
                                                  • lstrcpyA.KERNEL32(?,00000000,?,?,?,?,?,?,00000000), ref: 02ABB719
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,?,?,00000000), ref: 02ABB74A
                                                    • Part of subcall function 02AB1BA0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,02ABB4E3,02AFADA0,?,?,00000000), ref: 02AB1BC5
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,?,?,00000000), ref: 02ABB75B
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,?,?,00000000), ref: 02ABB76E
                                                  • HeapAlloc.KERNEL32(?,00000008,00000104,?,?,?,?,00000000), ref: 02ABB781
                                                  • _snprintf.MSVCRT ref: 02ABB796
                                                  • _snprintf.MSVCRT ref: 02ABB7AB
                                                  • lstrcpyA.KERNEL32(?,02AC2C0C,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02ABB7CD
                                                  • _snprintf.MSVCRT ref: 02ABB7FC
                                                  • _snprintf.MSVCRT ref: 02ABB863
                                                  • _snprintf.MSVCRT ref: 02ABB878
                                                  • lstrcpyA.KERNEL32(?,02AC2C0C), ref: 02ABB89A
                                                  • _snprintf.MSVCRT ref: 02ABB8C9
                                                  • _snprintf.MSVCRT ref: 02ABB8E0
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 02ABB8F3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: _snprintf$AllocHeap$lstrcpy$lstrlen$memset$InfoLocaleTime$??3@FileSystemVersion_vsnprintflstrcmpstrstr
                                                  • String ID: 2K3$2K8$<br>$ERR$VIS$_%s_%s%s_%s$admin$http://api.wipmania.com/$isadmin$n%s_%s_%s%s_%s
                                                  • API String ID: 124843797-4052524521
                                                  • Opcode ID: b81e54c8ea1ec69511102d6c49caea204de85b828e7a3b4534a9af85451a4a77
                                                  • Instruction ID: 9f05eb5702d980edd38f12032ab6a8dad2b8be5f1700bc7fd077a6b0414bc9e7
                                                  • Opcode Fuzzy Hash: b81e54c8ea1ec69511102d6c49caea204de85b828e7a3b4534a9af85451a4a77
                                                  • Instruction Fuzzy Hash: 43C152B1A80305BBE725DBA0CC81FAA73BDBF44B08F104D5CEA46A6541DFB4E945CB61
                                                  Function 02AB1EA0 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 195fileencryptionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • CreateFileW.KERNEL32(02ABF63C,80000000,00000001,00000000,00000003,08000000,00000000,02ABFA77,75A373E0), ref: 02AB1ECD
                                                  • GetLastError.KERNEL32 ref: 02AB1EDA
                                                  • CryptAcquireContextA.ADVAPI32(02ABF63C,00000000,00000000,00000001,F0000000), ref: 02AB1EF5
                                                  • GetLastError.KERNEL32 ref: 02AB1EFF
                                                  • CloseHandle.KERNEL32(00000000), ref: 02AB1F06
                                                  Strings
                                                  • E57E7EF9D1A8B3196C522D45710ED22B, xrefs: 02AB2081
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$AcquireCloseContextCreateCryptFileHandle
                                                  • String ID: E57E7EF9D1A8B3196C522D45710ED22B
                                                  • API String ID: 2213256293-4022226963
                                                  • Opcode ID: 2b55383171d308b288eff0c6cfc71d79e0260be51c29eaff4b1794a0369106a0
                                                  • Instruction ID: 363572e57fc80b8d0603d0ebd845cdc3d7a706226e506261dfa52032308c8e02
                                                  • Opcode Fuzzy Hash: 2b55383171d308b288eff0c6cfc71d79e0260be51c29eaff4b1794a0369106a0
                                                  • Instruction Fuzzy Hash: E8516176B40108AFDB119BA4EC88AFEB77CFB48355F60495AFA09D2241DF35C916CB60
                                                  Function 02AB4C20 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • OpenProcessToken.ADVAPI32(00000000,00000028,?,02AB4E7E,SeDebugPrivilege,00000001,00000000,ntdll.dll,NtGetNextProcess), ref: 02AB4C32
                                                  • GetLastError.KERNEL32 ref: 02AB4C3C
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 02AB4C52
                                                  • GetLastError.KERNEL32 ref: 02AB4C5C
                                                  • CloseHandle.KERNEL32(?), ref: 02AB4C66
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CloseHandleLookupOpenPrivilegeProcessTokenValue
                                                  • String ID:
                                                  • API String ID: 1673749002-0
                                                  • Opcode ID: 514a5b24f2f9575c59c2390dc84bda5ab417705b4eab351b0caf66049f07fd19
                                                  • Instruction ID: b7b21a2ecb8fdd835e3b48119c2832a9031658359013621a9f4d69de7e5a4c4b
                                                  • Opcode Fuzzy Hash: 514a5b24f2f9575c59c2390dc84bda5ab417705b4eab351b0caf66049f07fd19
                                                  • Instruction Fuzzy Hash: A511C139F80208ABCB10DBA4D809FAE77B8EB09701F104948FA09D2242DE75D9148B60
                                                  Function 02AB8C90 Relevance: 4.8, APIs: 3, Instructions: 282COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID:
                                                  • API String ID: 2221118986-0
                                                  • Opcode ID: 05b5d6f4cd333f1d28301a7d0a941ba34bf673245c89b5b7793a3be16757dd7b
                                                  • Instruction ID: b62fa299de54352b42170872ca95fe28ca57ea1301fa4727c5a00019c3bd153f
                                                  • Opcode Fuzzy Hash: 05b5d6f4cd333f1d28301a7d0a941ba34bf673245c89b5b7793a3be16757dd7b
                                                  • Instruction Fuzzy Hash: 8EA15BB59006059FDB21DFA9C9C09AFB7BDFF84314B14896EE90697A01EB38E901CF51
                                                  Function 02AB1290 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 146filethreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 185 2ab1290-2ab12a7 186 2ab12ad-2ab12b3 185->186 187 2ab1403-2ab1412 call 2ab6940 185->187 186->187 188 2ab12b9-2ab12f1 GetFileAttributesW 186->188 192 2ab141c-2ab143d CreateFileW 187->192 193 2ab1414-2ab1416 ExitThread 187->193 194 2ab13f8-2ab1400 188->194 195 2ab12f7-2ab1307 wcsstr 188->195 195->194 196 2ab130d-2ab131d wcsstr 195->196 197 2ab131f-2ab132f wcsstr 196->197 198 2ab1335-2ab134a call 2aba200 196->198 197->194 197->198 201 2ab134c-2ab135c call 2aba200 198->201 202 2ab1362-2ab137b SetFileAttributesW MoveFileExW 198->202 201->202 205 2ab13f5 201->205 204 2ab137d-2ab1392 call 2ab73e0 202->204 202->205 204->205 209 2ab1394-2ab13af call 2ab7330 204->209 205->194 212 2ab13e2-2ab13f2 call 2aba310 209->212 213 2ab13b1 209->213 212->205 214 2ab13b6-2ab13c4 call 2aba150 213->214 219 2ab13c9-2ab13da 214->219 220 2ab13c6 214->220 219->214 221 2ab13dc-2ab13e0 219->221 220->219 221->205 221->212
                                                  APIs
                                                  • GetFileAttributesW.KERNEL32(?), ref: 02AB12BE
                                                  • wcsstr.MSVCRT ref: 02AB12FD
                                                  • wcsstr.MSVCRT ref: 02AB1313
                                                  • wcsstr.MSVCRT ref: 02AB1325
                                                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 02AB1368
                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 02AB1373
                                                  • ExitThread.KERNEL32 ref: 02AB1416
                                                  • CreateFileW.KERNELBASE(?,?,?,?,?,?,?), ref: 02AB1432
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: File$wcsstr$Attributes$CreateExitMoveThread
                                                  • String ID: %s.%S$DBWIN$\\.\pipe$brk$dll$exe$ruskill
                                                  • API String ID: 3384778288-1976196219
                                                  • Opcode ID: 7011d51abd6de9d11a3c4e57d28cc2cc1e1c4c384e4445b922a98f08c5a619dc
                                                  • Instruction ID: bee4efd6b77040f7d618572b3d62c680155ded166ed1874fc8cefff24cad3477
                                                  • Opcode Fuzzy Hash: 7011d51abd6de9d11a3c4e57d28cc2cc1e1c4c384e4445b922a98f08c5a619dc
                                                  • Instruction Fuzzy Hash: 1E41EFB2B80205BBEB519F04AC85FDB375CEF48719F2401A8FD0992242EF75D925CAA1
                                                  Function 02AB10A0 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 102stringfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 222 2ab10a0-2ab10db memset lstrcmpW 223 2ab10dd-2ab10ed call 2ab7700 222->223 224 2ab10f7-2ab110c CopyFileW 222->224 223->224 234 2ab10ef-2ab10f4 223->234 226 2ab110e-2ab1115 224->226 227 2ab1144-2ab116b WideCharToMultiByte 224->227 226->227 231 2ab1117-2ab1121 lstrcmpW 226->231 228 2ab117b-2ab11a5 lstrcpyA WideCharToMultiByte 227->228 229 2ab116d-2ab1179 lstrcpyA 227->229 232 2ab11a7-2ab11b3 lstrcpyA 228->232 233 2ab11b5-2ab11bd 228->233 229->228 231->227 235 2ab1123-2ab112f MoveFileExW 231->235 232->233 235->227 236 2ab1131-2ab1141 call 2aba310 235->236 236->227
                                                  APIs
                                                  • memset.MSVCRT ref: 02AB10C0
                                                  • lstrcmpW.KERNELBASE(?,02AFADA0), ref: 02AB10D7
                                                  • CopyFileW.KERNELBASE(?,?,?), ref: 02AB1101
                                                  • lstrcmpW.KERNEL32(?,02AFA710), ref: 02AB111D
                                                  • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 02AB1127
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 02AB1161
                                                  • lstrcpyA.KERNEL32(C:\Users\user\Desktop\LisectAVT_2403002C_106.exe,00000000), ref: 02AB1179
                                                  • lstrcpyA.KERNEL32(00000000,02AC1335), ref: 02AB1187
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000104,00000000,00000000), ref: 02AB11A0
                                                  • lstrcpyA.KERNEL32(C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe,00000000), ref: 02AB11B3
                                                    • Part of subcall function 02AB7700: memset.MSVCRT ref: 02AB771E
                                                    • Part of subcall function 02AB7700: _snprintf.MSVCRT ref: 02AB7738
                                                    • Part of subcall function 02AB7700: lstrlenA.KERNEL32(00000000), ref: 02AB7747
                                                  Strings
                                                  • ruskill, xrefs: 02AB1132
                                                  • C:\Users\user\Desktop\LisectAVT_2403002C_106.exe, xrefs: 02AB1174
                                                  • pdef, xrefs: 02AB10DD
                                                  • %s.%S, xrefs: 02AB1137
                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe, xrefs: 02AB11AE
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: lstrcpy$ByteCharFileMultiWidelstrcmpmemset$CopyMove_snprintflstrlen
                                                  • String ID: %s.%S$C:\Users\user\AppData\Roaming\Microsoft\Windows\Hsnpnw.exe$C:\Users\user\Desktop\LisectAVT_2403002C_106.exe$pdef$ruskill
                                                  • API String ID: 332191758-2548505541
                                                  • Opcode ID: 9d62501bf87755effb252d909be04794cba0160197f14f586a850251d45a9dee
                                                  • Instruction ID: 3d28eb1fe0830c7f7d14ace45771a8d6831cff414bfaea2d48733115c1b82325
                                                  • Opcode Fuzzy Hash: 9d62501bf87755effb252d909be04794cba0160197f14f586a850251d45a9dee
                                                  • Instruction Fuzzy Hash: 7331C3B1780314BBF721D7599C92FEA336CAF85B14F100159FB08A61C2DFB4E954CAA5
                                                  Function 02ABAA10 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 157networkstringfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 239 2abaa10-2abaa53 memset lstrcpyA 240 2abaa6e-2abaa75 239->240 241 2abaa55-2abaa68 InternetOpenA 239->241 242 2abaa7e-2abaa98 InternetOpenUrlA 240->242 243 2abaa77-2abaa78 lstrlenA 240->243 241->240 244 2abaa9a-2abaaa2 242->244 245 2abaaa3-2abaac8 HttpQueryInfoA 242->245 243->242 246 2abaadb-2abaaea InternetQueryDataAvailable 245->246 247 2abaaca-2abaad2 245->247 246->244 249 2abaaec-2abab0d 246->249 247->244 248 2abaad4-2abaad9 247->248 248->244 248->246 250 2abab10-2abab33 ??2@YAPAXI@Z 249->250 251 2abab41-2abab52 250->251 252 2abab35-2abab3f 250->252 253 2abab57-2abab81 InternetReadFile 251->253 252->253 253->250 254 2abab83-2abab99 ??2@YAPAXI@Z 253->254 255 2abab9b-2ababa2 254->255 256 2ababb2-2ababb4 255->256 257 2ababa4-2ababaf ??3@YAXPAX@Z 255->257 258 2ababe0-2ababf8 InternetCloseHandle 256->258 259 2ababb6-2ababde call 2ab3640 256->259 257->256 259->255
                                                  APIs
                                                  • memset.MSVCRT ref: 02ABAA31
                                                  • lstrcpyA.KERNEL32(00000000,Mozilla/4.0,771A83C0,?,00000000), ref: 02ABAA45
                                                  • InternetOpenA.WININET(00000000,?,?,?,?), ref: 02ABAA60
                                                  • lstrlenA.KERNEL32(02ABB62D), ref: 02ABAA78
                                                  • InternetOpenUrlA.WININET(?,02ABD559,02ABB62D,00000000,04000000,00000000), ref: 02ABAA8C
                                                  • HttpQueryInfoA.WININET(?,20000013,02ABD559,?,00000000), ref: 02ABAAC0
                                                  • InternetQueryDataAvailable.WININET(00000000,?,00000000,00000000), ref: 02ABAAE2
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 02ABAB15
                                                  • InternetReadFile.WININET(00000000,?,00000FF8,00000001), ref: 02ABAB67
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 02ABAB85
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 02ABABA5
                                                  • InternetCloseHandle.WININET(00000000), ref: 02ABABE7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Internet$??2@OpenQuery$??3@AvailableCloseDataFileHandleHttpInfoReadlstrcpylstrlenmemset
                                                  • String ID: Mozilla/4.0
                                                  • API String ID: 2392773942-2634101963
                                                  • Opcode ID: 1289ca73d2a8e6850d8d51d85b1e95f98e21099286b681cac8ebbece055e9ee1
                                                  • Instruction ID: 44aaaa51dd7e1dcb23f8b36d947973a49e93c6d8b9e49de427d4d30410e7d10b
                                                  • Opcode Fuzzy Hash: 1289ca73d2a8e6850d8d51d85b1e95f98e21099286b681cac8ebbece055e9ee1
                                                  • Instruction Fuzzy Hash: E951D271A80205AFD761CF95D884BAA77F8EF88314F14486DE608D7242DF74D956CFA0
                                                  Function 02ABE880 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 84pipestringthreadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • memset.MSVCRT ref: 02ABE8A0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 02ABE8AD
                                                  • _snprintf.MSVCRT ref: 02ABE8D0
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 02ABE8FF
                                                  • ConnectNamedPipe.KERNELBASE(00000000,00000000), ref: 02ABE913
                                                  • GetLastError.KERNEL32 ref: 02ABE91D
                                                  • CreateThread.KERNEL32(00000000,00000000,02ABD7A0,00000000,00000000,00000000), ref: 02ABE941
                                                  • CloseHandle.KERNEL32(00000000), ref: 02ABE94B
                                                  • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,00000800,00000800,00001388,00000000), ref: 02ABE96E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: CreateNamedPipe$CloseConnectErrorHandleLastThread_snprintflstrlenmemset
                                                  • String ID: 30e4*ga1$\\.\pipe\%08x_ipc
                                                  • API String ID: 4065143564-3576121390
                                                  • Opcode ID: 00f752223c895c31bf19ca5b439c1d638c147c31d22bbe33136fa93de1f3a489
                                                  • Instruction ID: 9b908f39853ccf3d55488c0866bf9157ad08057bac6437ee3550ff5feff0c9f7
                                                  • Opcode Fuzzy Hash: 00f752223c895c31bf19ca5b439c1d638c147c31d22bbe33136fa93de1f3a489
                                                  • Instruction Fuzzy Hash: 65210871FC0315BAF33062644C46FE6765CAF04F10FB04568F705F91C1DEE0A5198AA9
                                                  Function 02AB4AE0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 111synchronizationstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • strncpy.MSVCRT ref: 02AB4B1A
                                                  • sprintf.MSVCRT ref: 02AB4B2C
                                                  • CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 02AB4B3F
                                                  • _snprintf.MSVCRT ref: 02AB4B6F
                                                  • OpenFileMappingA.KERNEL32(000F001F,00000000,?), ref: 02AB4B85
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AB4B97
                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AB4BE3
                                                  • ReleaseMutex.KERNEL32(?,?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02AB4C02
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Mutex$ChangeCloseCreateFileFindMappingNotificationObjectOpenReleaseSingleWait_snprintfsprintfstrncpy
                                                  • String ID: %s_0$-%sMutex
                                                  • API String ID: 1674471773-892854768
                                                  • Opcode ID: 9e7dcb8bc997c159107cabe76f6faf6ec377cdc40203aa285452a950dd6bd0eb
                                                  • Instruction ID: c7c02f8c03d099d9e32e386916c04a2e0566574a3c5e7dd1d51696de5617e3e2
                                                  • Opcode Fuzzy Hash: 9e7dcb8bc997c159107cabe76f6faf6ec377cdc40203aa285452a950dd6bd0eb
                                                  • Instruction Fuzzy Hash: 0B3178B5680204ABE720EF649C91FDAB7ACAF48714F144519EA5897243EFB0D444CAA0
                                                  Function 02AB5A20 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 189threadlibraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 330 2ab5a20-2ab5a31 call 2ab35e0 333 2ab5c49-2ab5c4c 330->333 334 2ab5a37-2ab5a3e call 2ab3a20 330->334 334->333 337 2ab5a44-2ab5a5b 334->337 338 2ab5a61-2ab5a68 337->338 339 2ab5ae5-2ab5b4a call 2ab4d00 LdrEnumerateLoadedModules call 2ab3080 * 2 337->339 338->339 340 2ab5a6a-2ab5a76 338->340 351 2ab5b4f-2ab5b63 339->351 340->339 342 2ab5a78-2ab5a87 call 2ab3920 340->342 348 2ab5a8d-2ab5a97 342->348 349 2ab5c46-2ab5c48 342->349 352 2ab5a99 348->352 353 2ab5a9c-2ab5aa0 348->353 349->333 354 2ab5b70-2ab5b85 351->354 355 2ab5b65-2ab5b6c 351->355 352->353 356 2ab5ad8-2ab5ae3 353->356 357 2ab5aa2-2ab5aa5 353->357 359 2ab5bcc-2ab5be5 354->359 360 2ab5b87-2ab5b8b 354->360 355->354 356->339 356->342 358 2ab5aaa-2ab5aac 357->358 361 2ab5aae-2ab5ab1 358->361 362 2ab5ab3 358->362 365 2ab5be7-2ab5bf2 359->365 366 2ab5bf4-2ab5c0a CreateThread CloseHandle 359->366 363 2ab5b8d-2ab5ba7 call 2ab39a0 360->363 364 2ab5bc3-2ab5bca 360->364 368 2ab5ab7-2ab5ab9 call 2ab3750 361->368 362->368 363->364 376 2ab5ba9-2ab5bbf 363->376 364->359 364->360 365->366 367 2ab5c0c-2ab5c1f 365->367 366->367 370 2ab5c2e-2ab5c44 CreateThread CloseHandle 367->370 371 2ab5c21-2ab5c2c 367->371 375 2ab5abe-2ab5ac2 368->375 370->349 371->349 371->370 375->349 378 2ab5ac8-2ab5ad3 375->378 376->364 379 2ab5aa7 378->379 380 2ab5ad5 378->380 379->358 380->356
                                                  APIs
                                                  • LdrEnumerateLoadedModules.NTDLL(00000000,Function_00005040,?), ref: 02AB5B0D
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005070,00000000,00000000,00000000), ref: 02AB5C03
                                                  • CloseHandle.KERNEL32(00000000), ref: 02AB5C0A
                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000050F0,00000000,00000000,00000000), ref: 02AB5C3D
                                                  • CloseHandle.KERNEL32(00000000), ref: 02AB5C44
                                                    • Part of subcall function 02AB3920: RtlAnsiStringToUnicodeString.NTDLL(?,?,00000000), ref: 02AB3962
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleStringThread$AnsiEnumerateLoadedModulesUnicode
                                                  • String ID: LdrLoadDll$NtResumeThread$ntdll.dll
                                                  • API String ID: 1691487058-1814628691
                                                  • Opcode ID: 6bc540b4301fdba9f65c16fb433c378808acb10fdca8601c5b0be326a7e1727c
                                                  • Instruction ID: 1828f44dfea1d1b7654b7f7ccde30674de5ddf5712d02987d9eb1ec9d39830f3
                                                  • Opcode Fuzzy Hash: 6bc540b4301fdba9f65c16fb433c378808acb10fdca8601c5b0be326a7e1727c
                                                  • Instruction Fuzzy Hash: 4A619071B80302ABEB25DB68CCC1FA673A9BF44704F544918E906AB642EF70F416CB90
                                                  Function 02ABFC90 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 57stringsleepCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 402 2abfc90-2abfd4f memset lstrlenA call 2ab1e60 _snprintf lstrcpyW lstrcpyA * 2 call 2abf9e0 407 2abfd6b-2abfd75 402->407 408 2abfd51 402->408 409 2abfd57 call 2abfb60 408->409 411 2abfd5c-2abfd69 Sleep 409->411 411->407 411->409
                                                  APIs
                                                  • memset.MSVCRT ref: 02ABFCB0
                                                  • lstrlenA.KERNEL32(30e4*ga1), ref: 02ABFCBD
                                                  • _snprintf.MSVCRT ref: 02ABFCE0
                                                  • lstrcpyW.KERNEL32(02AFB9A0,02AFADA0), ref: 02ABFCF2
                                                  • lstrcpyA.KERNEL32(02AFBDB0,02AC2FC0), ref: 02ABFD08
                                                  • lstrcpyA.KERNEL32(02AFBEB4,?), ref: 02ABFD16
                                                    • Part of subcall function 02ABF9E0: memset.MSVCRT ref: 02ABF9FF
                                                    • Part of subcall function 02ABF9E0: GetLogicalDriveStringsA.KERNEL32(000001FF,00000000), ref: 02ABFA22
                                                    • Part of subcall function 02ABF9E0: lstrcatA.KERNEL32(00000000,02AC3040,?,771A83C0,?,?,00000000), ref: 02ABFA5C
                                                    • Part of subcall function 02ABFB60: RegisterClassExA.USER32(?), ref: 02ABFC05
                                                    • Part of subcall function 02ABFB60: CreateWindowExA.USER32(00000000,gdkWindowToplevelClass,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 02ABFC20
                                                    • Part of subcall function 02ABFB60: RegisterDeviceNotificationA.USER32(00000000,00000020,00000000), ref: 02ABFC30
                                                    • Part of subcall function 02ABFB60: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02ABFC48
                                                    • Part of subcall function 02ABFB60: TranslateMessage.USER32(?), ref: 02ABFC61
                                                    • Part of subcall function 02ABFB60: DispatchMessageA.USER32(?), ref: 02ABFC67
                                                    • Part of subcall function 02ABFB60: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 02ABFC74
                                                  • Sleep.KERNEL32(00003A98), ref: 02ABFD61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Message$lstrcpy$Registermemset$ClassCreateDeviceDispatchDriveLogicalNotificationSleepStringsTranslateWindow_snprintflstrcatlstrlen
                                                  • String ID: 30e4*ga1
                                                  • API String ID: 496236647-1706321449
                                                  • Opcode ID: 2f6edc64bee166697fd01623e56a3795a15c8047010d3fd524df5b25c40edf43
                                                  • Instruction ID: d82e67e1ed5a4edd21abfe4722717a2a32a76d759276a3ee5444844e0a389f66
                                                  • Opcode Fuzzy Hash: 2f6edc64bee166697fd01623e56a3795a15c8047010d3fd524df5b25c40edf43
                                                  • Instruction Fuzzy Hash: C01151B1DC0318BFF750AB94DC81A997778BB08708F50485AF745A2142DFB8A9958F61
                                                  Function 02AB2A30 Relevance: 10.6, APIs: 7, Instructions: 131networksleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • htons.WS2_32(02AFB96C), ref: 02AB2A44
                                                    • Part of subcall function 02AB2460: GetProcessHeap.KERNEL32(?,02ABECE5,00000104), ref: 02AB246C
                                                    • Part of subcall function 02AB2460: HeapAlloc.KERNEL32(?,00000008,02ABECE5,?,02ABECE5,00000104), ref: 02AB247E
                                                  • socket.WS2_32(00000002,00000001,00000006), ref: 02AB2A8A
                                                  • WSAGetLastError.WS2_32(?,?,00000001,?,02AFB96C,?,?,?,?,02ABDD50), ref: 02AB2A96
                                                  • GetLastError.KERNEL32(?,?,00000001,?,02AFB96C,?,?,?,?,02ABDD50), ref: 02AB2A9B
                                                    • Part of subcall function 02AB24A0: GetProcessHeap.KERNEL32(00000000,?,02AB2B64,00000000,?,?,00000001,?,02AFB96C,?,?,?,?,02ABDD50), ref: 02AB24B4
                                                    • Part of subcall function 02AB24A0: HeapFree.KERNEL32(?,00000000,02AB2B64,00000000,?,02AB2B64,00000000,?,?,00000001,?,02AFB96C), ref: 02AB24C3
                                                  • inet_ntoa.WS2_32(00000002), ref: 02AB2AEE
                                                  • connect.WS2_32(00000000,?,00000010), ref: 02AB2AFC
                                                  • Sleep.KERNEL32(000005DC,?,?,?,?,00000001,?,02AFB96C,?,?,?,?,02ABDD50), ref: 02AB2B0B
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Heap$ErrorLastProcess$AllocFreeSleepconnecthtonsinet_ntoasocket
                                                  • String ID:
                                                  • API String ID: 268164981-0
                                                  • Opcode ID: 2cba6ccb8a8831c71a2b70da3a5b6926f01343213f386f890a2f4ab4c4760029
                                                  • Instruction ID: f7f73d5174a10368e15b3c4d00dc84cd53765f32183b2ebea1819922655eecc5
                                                  • Opcode Fuzzy Hash: 2cba6ccb8a8831c71a2b70da3a5b6926f01343213f386f890a2f4ab4c4760029
                                                  • Instruction Fuzzy Hash: 7C41D2B1E402049BDB21EFB8D980BAEB7BAEF45324F10416AE9199B341DF319941CF91
                                                  Function 02ABF2B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02AB3810: GetProcessHeap.KERNEL32(00000000,00000000,?,02AB4046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 02AB3819
                                                    • Part of subcall function 02AB3810: HeapAlloc.KERNEL32(00000000,?,02AB4046,?,00000000,00000000,00000000,00000000,?,?,?), ref: 02AB3820
                                                  • sprintf.MSVCRT ref: 02ABF2E9
                                                  • CreateFileA.KERNEL32(00000000,00000000,00000003,00000000,00000003,00000000,00000000), ref: 02ABF2FA
                                                  • memset.MSVCRT ref: 02ABF323
                                                  • DeviceIoControl.KERNELBASE(00000000,002D1400,02AC09A7,0000000C,?,00000400,00000000,00000000), ref: 02ABF352
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 02ABF35B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocChangeCloseControlCreateDeviceFileFindNotificationProcessmemsetsprintf
                                                  • String ID: \\.\%c:
                                                  • API String ID: 3750536436-1260769427
                                                  • Opcode ID: 04a18775db362a73442549dbe734e5d0d2d9bc3821d7b1eafcd4fa4800b289d8
                                                  • Instruction ID: e20c3b2864cb855f84caf214c1d7cf1cc482b3f5d13da54df30e159ad1973834
                                                  • Opcode Fuzzy Hash: 04a18775db362a73442549dbe734e5d0d2d9bc3821d7b1eafcd4fa4800b289d8
                                                  • Instruction Fuzzy Hash: A121B6F1D402087FEB11DF949CC5EEEB77CAB45754F1001A9F618A2141EAB44E558AA1
                                                  Function 02ABFAA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: ProcWindowsprintf
                                                  • String ID: %c:\$[USB]: Infected %s
                                                  • API String ID: 3179433310-2800184719
                                                  • Opcode ID: b0803d95fa457dff2a4f20c2d5f56342fa7c6d0fc39b94d2630fdcc9238b282c
                                                  • Instruction ID: 9be242434063b2e5877e18f0051fafe089ee024e71bb3ca03a2af80a566b2e85
                                                  • Opcode Fuzzy Hash: b0803d95fa457dff2a4f20c2d5f56342fa7c6d0fc39b94d2630fdcc9238b282c
                                                  • Instruction Fuzzy Hash: B81194B69401086FDB14DF68DD91ABAB36DEF44308F088959FE05D2102EF35E912CB61
                                                  Function 02AB2880 Relevance: 6.2, APIs: 4, Instructions: 164networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 02AB2460: GetProcessHeap.KERNEL32(?,02ABECE5,00000104), ref: 02AB246C
                                                    • Part of subcall function 02AB2460: HeapAlloc.KERNEL32(?,00000008,02ABECE5,?,02ABECE5,00000104), ref: 02AB247E
                                                  • inet_addr.WS2_32(?), ref: 02AB28BE
                                                  • DnsQuery_A.DNSAPI(?,00000001,00000008,00000000,?,00000000), ref: 02AB2939
                                                  • _stricmp.MSVCRT(?,?,?,00000000,?,?,?,?,00000001,?,02AFB96C,?,?,?,?,02ABDD50), ref: 02AB294E
                                                  • DnsFree.DNSAPI(?,00000001), ref: 02AB29D9
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Heap$AllocFreeProcessQuery__stricmpinet_addr
                                                  • String ID:
                                                  • API String ID: 3002912770-0
                                                  • Opcode ID: 1c1d0b0d8140d7d6fdfc1aa50e61462315b9b968e84d10830e23181a869ce453
                                                  • Instruction ID: eb6f72dcf6812b6b5c342d0f8ef4ed4dc969903f462a1002bde26519aadc81f7
                                                  • Opcode Fuzzy Hash: 1c1d0b0d8140d7d6fdfc1aa50e61462315b9b968e84d10830e23181a869ce453
                                                  • Instruction Fuzzy Hash: 105184706402059FD722DF58C9C0BAAB7BAFF89704F24445ADD899B381DF71E941CB91
                                                  Function 02ABD6B0 Relevance: 6.1, APIs: 4, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.KERNELBASE(02AFB1B8,?,00000000,00000000,00000000,000F003F,00000000,02AFADA0,02AFB1B8,02AFB1B8,02AFADA0), ref: 02ABD6FD
                                                  • RegSetValueExW.KERNELBASE(771B16C0,?,00000000,00000001,?,?,771B16C0), ref: 02ABD731
                                                  • RegCloseKey.KERNELBASE(?), ref: 02ABD740
                                                  • RegCloseKey.ADVAPI32(?), ref: 02ABD753
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Close$CreateValue
                                                  • String ID:
                                                  • API String ID: 1009429713-0
                                                  • Opcode ID: 80138623e82490b362821fd85ea102f7460efd0cd4dc4aaecae5801094ee6eae
                                                  • Instruction ID: d165ca1ccee9591b1339e814185d073b593b0ca1c00b62a7eb1eb5b0d5d7e4f7
                                                  • Opcode Fuzzy Hash: 80138623e82490b362821fd85ea102f7460efd0cd4dc4aaecae5801094ee6eae
                                                  • Instruction Fuzzy Hash: 1B212175740209BBDB14CB94DC46FEA737CEF88B44F204544FA09AB285EA74FA11D794
                                                  Function 02AB1A10 Relevance: 4.5, APIs: 3, Instructions: 37filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,00000100,00000001,00000000,00000003,02AFADA0,00000000,00000000,?,?,02AB1B49,5C6F0000,?,?,?,00000000), ref: 02AB1A36
                                                  • SetFileTime.KERNELBASE(00000000,02ABEB08,00000004,?,?,?,02AB1B49,5C6F0000,?,?,?,00000000,?,02AFADA0,00000004,?), ref: 02AB1A50
                                                  • CloseHandle.KERNEL32(00000000,?,?,02AB1B49,5C6F0000,?,?,?,00000000,?,02AFADA0,00000004,?,5C6F0000,00000004,02AFADA0), ref: 02AB1A59
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 6e1690af6d3c5f03fe93dd8d01a779d1e30122379af6b3e607b473bd01ddebad
                                                  • Instruction ID: c660c9c06624c4be4039d039179587bad4336ecd6537a93e1c42d11dd65c272b
                                                  • Opcode Fuzzy Hash: 6e1690af6d3c5f03fe93dd8d01a779d1e30122379af6b3e607b473bd01ddebad
                                                  • Instruction Fuzzy Hash: 7CF0BE716D12147FEB105E64DC4AFE7379D9B09724F100605F929973C1CAA8E8598AB0
                                                  Function 02AB1A70 Relevance: 4.5, APIs: 3, Instructions: 37filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,02ABB4E3,00000000,00000000,00000000,?,02AB1BDB,02ABB4E3,?,00000000,00000000,00000000), ref: 02AB1A96
                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?,?,02AB1BDB,02ABB4E3,?,00000000,00000000,00000000), ref: 02AB1AB0
                                                  • CloseHandle.KERNEL32(00000000,?,02AB1BDB,02ABB4E3,?,00000000,00000000,00000000,?,?,?,?,?,?,?,02ABB4E3), ref: 02AB1AB9
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateHandleTime
                                                  • String ID:
                                                  • API String ID: 3397143404-0
                                                  • Opcode ID: 404d35021ba9de3602765263447fc99198567268c2c7cad123bf16d73011bb57
                                                  • Instruction ID: a6f5b87bbbc161306c933131e63dc1b8e9520893735042909fc95a9e0b6fb834
                                                  • Opcode Fuzzy Hash: 404d35021ba9de3602765263447fc99198567268c2c7cad123bf16d73011bb57
                                                  • Instruction Fuzzy Hash: B7F0BE756D12147FEB105E64DC4AFE7379CDB0A724F144605F929973C1CA68E8158AB0
                                                  Function 02AB2810 Relevance: 3.0, APIs: 2, Instructions: 31networkCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: Startupmemset
                                                  • String ID:
                                                  • API String ID: 1873301828-0
                                                  • Opcode ID: 56d6117c258e9202a5654279ea9f66fc93e66fe287d5f588884b572fce376d5b
                                                  • Instruction ID: 30dff0aed7802fc622db8641826ce7d2684cea13faa7b7f535f4e8529b9cda8b
                                                  • Opcode Fuzzy Hash: 56d6117c258e9202a5654279ea9f66fc93e66fe287d5f588884b572fce376d5b
                                                  • Instruction Fuzzy Hash: 11F0E570D5021CAAEF3296E49C427F673AD9F48704F0002DAEE0CE6186EF714E958B82
                                                  Function 02AB1AD0 Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemTimeAsFileTime.KERNEL32(?,771B0F00,?,?,02ABEB08,02AFADA0), ref: 02AB1AE9
                                                    • Part of subcall function 02AB1A10: CreateFileW.KERNEL32(?,00000100,00000001,00000000,00000003,02AFADA0,00000000,00000000,?,?,02AB1B49,5C6F0000,?,?,?,00000000), ref: 02AB1A36
                                                    • Part of subcall function 02AB1A10: SetFileTime.KERNELBASE(00000000,02ABEB08,00000004,?,?,?,02AB1B49,5C6F0000,?,?,?,00000000,?,02AFADA0,00000004,?), ref: 02AB1A50
                                                    • Part of subcall function 02AB1A10: CloseHandle.KERNEL32(00000000,?,?,02AB1B49,5C6F0000,?,?,?,00000000,?,02AFADA0,00000004,?,5C6F0000,00000004,02AFADA0), ref: 02AB1A59
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: FileTime$CloseCreateHandleSystem
                                                  • String ID:
                                                  • API String ID: 489727163-0
                                                  • Opcode ID: 353c0cb3ada1abe635e1f062ff852d6d4bc37a1b58e613c44bcbcc26facdfd6f
                                                  • Instruction ID: 793104018f0f052f92fff0f35870327c2af8d42048452a073cf2a281f430c77f
                                                  • Opcode Fuzzy Hash: 353c0cb3ada1abe635e1f062ff852d6d4bc37a1b58e613c44bcbcc26facdfd6f
                                                  • Instruction Fuzzy Hash: 9C1100B6D40228BACB01EFE4CD40EEFB77DAF48B00F04458AB615A3145EA70A704CB94
                                                  Function 02ABBAE0 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • select.WS2_32(?,02AFB868,00000000,00000000,02AFB984), ref: 02ABBB28
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: select
                                                  • String ID:
                                                  • API String ID: 1274211008-0
                                                  • Opcode ID: e231f55249cc3dd229314855af1673115479de15235ac4e9de4c68c9ce5f118e
                                                  • Instruction ID: 0f7c0d6ff5cf1fc601cd1fce13f075393554c9ef9a6a4beb8bde22b65d6088c7
                                                  • Opcode Fuzzy Hash: e231f55249cc3dd229314855af1673115479de15235ac4e9de4c68c9ce5f118e
                                                  • Instruction Fuzzy Hash: 11F09EB09916049FE354DF59D480521B7F5EBCD70CB608D6EE6098B221EF75D852CF60
                                                  Function 02AB2C30 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 02AB2C4F
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: setsockopt
                                                  • String ID:
                                                  • API String ID: 3981526788-0
                                                  • Opcode ID: d36b817c9d451c3f66f4040e37ae58ed246aa4763513cf04cf5037d1a06c3b43
                                                  • Instruction ID: 2b56cb0e82f61bf8eff83d21f32486ce29b9b7c5e96b06dbfdabbecc45f57370
                                                  • Opcode Fuzzy Hash: d36b817c9d451c3f66f4040e37ae58ed246aa4763513cf04cf5037d1a06c3b43
                                                  • Instruction Fuzzy Hash: 7ED01275254209ABDB04DE68C882D9D77989B08720F108229FA28CB2C0E671E9408F50
                                                  Function 02AB1CF0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(02ABF629,?,02ABF629,?), ref: 02AB1CF7
                                                  Memory Dump Source
                                                  • Source File: 00000012.00000002.2522608433.0000000002AB0000.00000040.00000400.00020000.00000000.sdmp, Offset: 02AB0000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_18_2_2ab0000_mspaint.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: fb60c3f2891af1994afbaf2c395ddf1560f508a69e985ea8c31398bd94106bc5
                                                  • Instruction ID: 4398f82a93f5a6851652bbf9bbc6f4d388889fe0b6c33c4007d3e1f496576d66
                                                  • Opcode Fuzzy Hash: fb60c3f2891af1994afbaf2c395ddf1560f508a69e985ea8c31398bd94106bc5
                                                  • Instruction Fuzzy Hash: 9BB0923A650208978A005AE8A84A88D379D5A04A307604B00F52CC26C1DA28E9E14690